SELinux security alert keeps flashing and makes fedora useless

SELinux security alert keeps flashing
at the top of the screen
and disrupts the function of the system,
so much that
I cannot use
fedora 41 workstation!

I have no idea what
iii-sensor-prox
does,
If it is dangerous, or useful.

Plugin catchall (100. confidence) suggests   **********************

If you believe that iio-sensor-prox should be allowed create access on unix_dgram_socket labeled iiosensorproxy_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'iio-sensor-prox' --raw | audit2allow -M my-iiosensorprox
# semodule -X 300 -i my-iiosensorprox.pp

Additional Information:
Source Context                system_u:system_r:iiosensorproxy_t:s0
Target Context                system_u:system_r:iiosensorproxy_t:s0
Target Objects                Unknown [ unix_dgram_socket ]
Source                        iio-sensor-prox
Source Path                   iio-sensor-prox
Port                          <Unknown>
Host                          fedora
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-41.24-1.fc41.noarch
Local Policy RPM              selinux-policy-targeted-41.24-1.fc41.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     fedora
Platform                      Linux fedora 6.11.7-300.fc41.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Fri Nov  8 19:23:10 UTC 2024
                              x86_64
Alert Count                   240
First Seen                    2024-11-11 16:50:41 EET
Last Seen                     2024-11-11 16:59:33 EET
Local ID                      e3820aba-cf61-40a1-be33-4a092aecb5ad

Raw Audit Messages
type=AVC msg=audit(1731337173.637:534): avc:  denied  { create } for  pid=836 comm="iio-sensor-prox" scontext=system_u:system_r:iiosensorproxy_t:s0 tcontext=system_u:system_r:iiosensorproxy_t:s0 tclass=unix_dgram_socket permissive=0


Hash: iio-sensor-prox,iiosensorproxy_t,iiosensorproxy_t,unix_dgram_socket,create

Added f41, selinux

Looks like it’s related to a sensor connected with automatic screen rotation - apparently if you don´t use the screen rotation you can just block the sensor and be done:
https://www.reddit.com/r/Fedora/comments/1ggmfix/automatic_screen_rotation_no_longer_works_in/

1 Like

How can I block this sensor?

According to a redditor (Reddit - Dive into anything)

You can stop and disable it with:

$ sudo systemctl stop iio-sensor-proxy.service
$ sudo systemctl disable iio-sensor-proxy.service

and since a disabled service can still be started by other services that depend on it, I would also mask it as well:

$ sudo systemctl mask iio-sensor-proxy.service

this will make a symlink from the unit file to /dev/null.

2 Likes

thanks for your immediate response!

[the problem was very irritating]

1 Like

Since about forever on Fedora, systemctl has supported the “--now” option:

$ sudo systemctl --now disable iio-sensor-proxy.service

That way you can do the “stop” and “disable” in one command

Of course the other option would be the two commands:

$ sudo systemctl stop iio-sensor-proxy.service
$ sudo systemctl mask iio-sensor-proxy.service

I don’t believe the “--now” works with mask so you’d do the stop and then mask afterwards like shown above

Bugs for reference:
https://bugzilla.redhat.com/show_bug.cgi?id=2319766
https://bugzilla.redhat.com/show_bug.cgi?id=2324181