Hello all,
I recently encountered an issue where SELinux was denying access for the iio-sensor-prox process. Result was that my 2:1 Laptop was not “autorotating” its screen. The errors were logged in /var/log/audit/audit.log, and it caused the process to fail.
The Problem:
SELinux was blocking iio-sensor-prox from performing. The relevant entries in the audit log looked like this:
type=AVC msg=audit(...): avc: denied { create } for pid=43586 comm="iio-sensor-prox" scontext=system_u:system_r:iiosensorproxy_t:s0 tcontext=system_u:system_r:iiosensorproxy_t:s0 tclass=unix_dgram_socket permissive=0
type=AVC msg=audit(...): avc: denied { write } for pid=43586 comm="iio-sensor-prox" name="trigger" dev="sysfs" ...
The Solution:
After analyzing the logs, I determined that SELinux policies needed to be adjusted to allow the necessary permissions. Here’s how I did it:
Ensure that the following is installed:
sudo zypper install policycoreutils policycoreutils-python-utils selinux-tools
Then generate a Custom SELinux Policy:
Filter the relevant entries from the audit log and generate a policy module:
`sudo grep iio-sensor-prox /var/log/audit/audit.log | audit2allow -M iiosensorproxy_fix`
This will generate:
1 .te file: The human-readable SELinux policy source.
2 .pp file: The compiled policy module.
Install the Policy Module:
Install the .pp file to make the changes permanent:
sudo semodule -i iiosensorproxy_fix.pp
Check if the module was successfully installed:
semodule -l | grep iiosensorproxy_fix
Restart the affected service:
systemctl restart iio-sensor-proxy
I hope this helps anyone facing similar issues!
Cheers
PS: To rremove the custom module:
sudo semodule -r iiosensorproxy_fix