Screen does not autorotate -> SELinux Denying Access for iio-sensor-prox – How I solved it

Hello all,

I recently encountered an issue where SELinux was denying access for the iio-sensor-prox process. Result was that my 2:1 Laptop was not “autorotating” its screen. The errors were logged in /var/log/audit/audit.log, and it caused the process to fail.

The Problem:

SELinux was blocking iio-sensor-prox from performing. The relevant entries in the audit log looked like this:


type=AVC msg=audit(...): avc:  denied  { create } for  pid=43586 comm="iio-sensor-prox" scontext=system_u:system_r:iiosensorproxy_t:s0 tcontext=system_u:system_r:iiosensorproxy_t:s0 tclass=unix_dgram_socket permissive=0
type=AVC msg=audit(...): avc:  denied  { write } for  pid=43586 comm="iio-sensor-prox" name="trigger" dev="sysfs" ...

The Solution:

After analyzing the logs, I determined that SELinux policies needed to be adjusted to allow the necessary permissions. Here’s how I did it:

Ensure that the following is installed:
sudo zypper install policycoreutils policycoreutils-python-utils selinux-tools

Then generate a Custom SELinux Policy:

Filter the relevant entries from the audit log and generate a policy module:

`sudo grep iio-sensor-prox /var/log/audit/audit.log | audit2allow -M iiosensorproxy_fix`

This will  generate:
    1 .te file: The human-readable SELinux policy source.
    2 .pp file: The compiled policy module.

Install the Policy Module:

Install the .pp file to make the changes permanent:

sudo semodule -i iiosensorproxy_fix.pp

Check if the module was successfully installed:

semodule -l | grep iiosensorproxy_fix

Restart the affected service:

systemctl restart iio-sensor-proxy

I hope this helps anyone facing similar issues!

Cheers

PS: To rremove the custom module:

sudo semodule -r iiosensorproxy_fix

1 Like