Waydroid doesn't launch, SELinux alerts

Hello I’m new in Fedora, just installed v42 a couple of days ago, looking for an Android emulator I installed Waydroid 1.51-2 from store (Fedora packages), put the URLs in the OTA fields and it seems it download the image with no problems, but at the moment to open the app (Through its icon or via Konsole) multiples SELinux alerts shows up. The notification is too quick to check but all of them shows the same alert

SELinux is preventing nft from read access on the directory fd.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that nft should be allowed read access on the fd directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'nft' --raw | audit2allow -M my-nft
# semodule -X 300 -i my-nft.pp

Additional Information:
Source Context                system_u:system_r:iptables_t:s0
Target Context                system_u:system_r:kernel_t:s0
Target Objects                fd [ dir ]
Source                        nft
Source Path                   nft
Port                          <Unknown>
Host                          host
Source RPM Packages
Target RPM Packages
SELinux Policy RPM            selinux-policy-targeted-41.37-1.fc42.noarch
Local Policy RPM              selinux-policy-targeted-41.37-1.fc42.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     hostname
Platform                      Linux hostname 6.14.2-300.fc42.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Thu Apr 10 21:50:55 UTC 2025
                              x86_64
Alert Count                   5842
First Seen                    2025-04-20 10:52:03 EDT
Last Seen                     2025-04-20 23:03:44 EDT
Local ID                      70f6f9c3-8e7b-42bf-a709-c26c9e7d6d99

Raw Audit Messages
type=AVC msg=audit(1745204624.536:3813): avc:  denied  { read } for  pid=67540 comm="nft" name="fd" dev="proc" ino=1645797 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=dir permissive=0


Hash: nft,iptables_t,kernel_t,dir,read

I’ve already tried allowing the access with the commands given by the alert, also I set SELinux to ‘permissive’ and ‘disabled’ just to check but it shows two errors multiple times (image attached)

In addition, according to waydroid it’s running

$ waydroid session start
[23:24:47] Android with user 0 is ready
$ waydroid status:
Session:        RUNNING
Container:      RUNNING
Vendor type:    MAINLINE
IP address:     192.168.240.112
Session user:   greens(1000)
Wayland display:        wayland-0

Switch SELinux to permissive mode for testing:

  • If the app still fails, then focus on errors not related to SELinux.
  • If the app works, then your custom policy module is incomplete, see:
journalctl -b _AUDIT_TYPE_NAME=AVC | audit2allow -m local

Thank you! Setting to permissive and focusing on the ‘surfaceflinger’ error lead me to a solution in their repo :slight_smile:

1 Like

I encountered simialr issue and switched SELinux to premissive, then abrt-applet spamming android.hardware.graphics.composer@2.1-service killed by SIGSEGV instead…