Bug 2369326 - SELinux is preventing iio-sensor-prox from using the 'sys_admin' capabilities.
Summary: SELinux is preventing iio-sensor-prox from using the 'sys_admin' capabilities.
Keywords:
Status: ASSIGNED
Alias: None
Product: Fedora
Classification: Fedora
Component: kernel
Version: 41
Hardware: x86_64
OS: Unspecified
medium
medium
Target Milestone: ---
Assignee: Ondrej Mosnáček
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:ccc2ad1356096564965d455476b...
: 2369215 2369516 2369645 2370866 2372371 2373292 2375827 2375909 2376564 2376694 2376932 2379501 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-05-30 04:28 UTC by Frank Büttner
Modified: 2025-07-11 13:44 UTC (History)
35 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Type: ---
Embargoed:
zpytela: mirror+

Attachments (Terms of Use)
File: description (2.01 KB, text/plain)
2025-05-30 04:28 UTC, Frank Büttner 		no flags Details
File: os_info (726 bytes, text/plain)
2025-05-30 04:28 UTC, Frank Büttner 		no flags Details
Trace when connecting PS5 controller (10.74 MB, model/x.stl-binary)
2025-05-30 17:42 UTC, madness742 		no flags Details
Tracefs when connecting PS5 controller (USB). (11.23 KB, text/plain)
2025-06-10 11:51 UTC, madness742 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 2369215 0 unspecified CLOSED gpsd wants selinux sys_admin capability 2025-06-11 11:14:02 UTC
Red Hat Issue Tracker FC-1708 0 None None None 2025-06-02 08:31:01 UTC

Internal Links: 2375909

Description Frank Büttner 2025-05-30 04:28:29 UTC 
Description of problem:
SELinux is preventing iio-sensor-prox from using the 'sys_admin' capabilities.

*****  Plugin catchall (100. confidence) suggests   **************************

Wenn Sie denken, dass iio-sensor-prox standardmäßig sys_admin Berechtigung haben sollten.
Then sie sollten dies als Fehler melden.
Um diesen Zugriff zu erlauben, können Sie ein lokales Richtlinien-Modul erstellen.
Do
zugriff jetzt erlauben, indem Sie die nachfolgenden Befehle ausführen:
# ausearch -c 'iio-sensor-prox' --raw | audit2allow -M my-iiosensorprox
# semodule -X 300 -i my-iiosensorprox.pp

Additional Information:
Source Context                system_u:system_r:iiosensorproxy_t:s0
Target Context                system_u:system_r:iiosensorproxy_t:s0
Target Objects                Unbekannt [ capability ]
Source                        iio-sensor-prox
Source Path                   iio-sensor-prox
Port                          <Unbekannt>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-41.39-1.fc41.noarch
Local Policy RPM              selinux-policy-targeted-41.39-1.fc41.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 6.14.8-200.fc41.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Thu May 22 19:26:21 UTC 2025
                              x86_64
Alert Count                   10
First Seen                    2025-05-30 06:21:28 CEST
Last Seen                     2025-05-30 06:21:28 CEST
Local ID                      9fdbd657-0d34-4291-a446-2214a8a37cd9

Raw Audit Messages
type=AVC msg=audit(1748578888.827:141): avc:  denied  { sys_admin } for  pid=8220 comm="iio-sensor-prox" capability=21  scontext=system_u:system_r:iiosensorproxy_t:s0 tcontext=system_u:system_r:iiosensorproxy_t:s0 tclass=capability permissive=0


Hash: iio-sensor-prox,iiosensorproxy_t,iiosensorproxy_t,capability,sys_admin

Version-Release number of selected component:
selinux-policy-targeted-41.39-1.fc41.noarch

Additional info:
reporter:       libreport-2.17.15
reason:         SELinux is preventing iio-sensor-prox from using the 'sys_admin' capabilities.
package:        selinux-policy-targeted-41.39-1.fc41.noarch
component:      selinux-policy
hashmarkername: setroubleshoot
type:           libreport
kernel:         6.14.8-200.fc41.x86_64
component:      selinux-policy
Comment 1 Frank Büttner 2025-05-30 04:28:31 UTC 
Created attachment 2092211 [details]
File: description
Comment 2 Frank Büttner 2025-05-30 04:28:33 UTC 
Created attachment 2092212 [details]
File: os_info
Comment 3 Zdenek Pytela 2025-05-30 07:43:12 UTC 
Frank,

the sys_admin capability is quite powerful, so justification is required. Please reproduce with full auditing enabled:

https://fedoraproject.org/wiki/SELinux/Debugging#Enable_full_auditing
Comment 4 madness742 2025-05-30 17:14:56 UTC 
I'm getting the same alert on Fedora 42 KDE. It appears on kernel 6.14.8, but not 6.14.6.

Reproducible using the following steps:
1. Setup a Playstation 5 controller in pairing mode (hold the "Share" button and the PlayStation button until the light bar starts flashing blue).
2. Pair the device (System Settings -> Bluetooth -> Pair Device).
3. Hit the Playstation button to connect the controller.

It's also reproducible when using a wired connection:
1. Connect Playstation 5 controller using a USB-C to USB-A cable.

AVC Denial with full auditing enabled:
type=PROCTITLE msg=audit(05/30/2025 19:08:43.842:288) : proctitle=/usr/libexec/iio-sensor-proxy 
type=SYSCALL msg=audit(05/30/2025 19:08:43.842:288) : arch=x86_64 syscall=setsockopt success=yes exit=0 a0=0x7 a1=SOL_SOCKET a2=SO_ATTACH_FILTER a3=0x7ffcb73953d0 items=0 ppid=1 pid=3361 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=iio-sensor-prox exe=/usr/libexec/iio-sensor-proxy subj=system_u:system_r:iiosensorproxy_t:s0 key=(null) 
type=AVC msg=audit(05/30/2025 19:08:43.842:288) : avc:  denied  { sys_admin } for  pid=3361 comm=iio-sensor-prox capability=sys_admin  scontext=system_u:system_r:iiosensorproxy_t:s0 tcontext=system_u:system_r:iiosensorproxy_t:s0 tclass=capability permissive=0 
type=AVC msg=audit(05/30/2025 19:08:43.842:288) : avc:  denied  { sys_admin } for  pid=3361 comm=iio-sensor-prox capability=sys_admin  scontext=system_u:system_r:iiosensorproxy_t:s0 tcontext=system_u:system_r:iiosensorproxy_t:s0 tclass=capability permissive=0 
type=AVC msg=audit(05/30/2025 19:08:43.842:288) : avc:  denied  { sys_admin } for  pid=3361 comm=iio-sensor-prox capability=sys_admin  scontext=system_u:system_r:iiosensorproxy_t:s0 tcontext=system_u:system_r:iiosensorproxy_t:s0 tclass=capability permissive=0 
type=AVC msg=audit(05/30/2025 19:08:43.842:288) : avc:  denied  { sys_admin } for  pid=3361 comm=iio-sensor-prox capability=sys_admin  scontext=system_u:system_r:iiosensorproxy_t:s0 tcontext=system_u:system_r:iiosensorproxy_t:s0 tclass=capability permissive=0 
type=AVC msg=audit(05/30/2025 19:08:43.842:288) : avc:  denied  { sys_admin } for  pid=3361 comm=iio-sensor-prox capability=sys_admin  scontext=system_u:system_r:iiosensorproxy_t:s0 tcontext=system_u:system_r:iiosensorproxy_t:s0 tclass=capability permissive=0 
----
type=PROCTITLE msg=audit(05/30/2025 19:08:43.854:290) : proctitle=/usr/libexec/iio-sensor-proxy 
type=SYSCALL msg=audit(05/30/2025 19:08:43.854:290) : arch=x86_64 syscall=setsockopt success=yes exit=0 a0=0x8 a1=SOL_SOCKET a2=SO_ATTACH_FILTER a3=0x7ffcb7395330 items=0 ppid=1 pid=3361 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=iio-sensor-prox exe=/usr/libexec/iio-sensor-proxy subj=system_u:system_r:iiosensorproxy_t:s0 key=(null) 
type=AVC msg=audit(05/30/2025 19:08:43.854:290) : avc:  denied  { sys_admin } for  pid=3361 comm=iio-sensor-prox capability=sys_admin  scontext=system_u:system_r:iiosensorproxy_t:s0 tcontext=system_u:system_r:iiosensorproxy_t:s0 tclass=capability permissive=0 
type=AVC msg=audit(05/30/2025 19:08:43.854:290) : avc:  denied  { sys_admin } for  pid=3361 comm=iio-sensor-prox capability=sys_admin  scontext=system_u:system_r:iiosensorproxy_t:s0 tcontext=system_u:system_r:iiosensorproxy_t:s0 tclass=capability permissive=0 
type=AVC msg=audit(05/30/2025 19:08:43.854:290) : avc:  denied  { sys_admin } for  pid=3361 comm=iio-sensor-prox capability=sys_admin  scontext=system_u:system_r:iiosensorproxy_t:s0 tcontext=system_u:system_r:iiosensorproxy_t:s0 tclass=capability permissive=0 
type=AVC msg=audit(05/30/2025 19:08:43.854:290) : avc:  denied  { sys_admin } for  pid=3361 comm=iio-sensor-prox capability=sys_admin  scontext=system_u:system_r:iiosensorproxy_t:s0 tcontext=system_u:system_r:iiosensorproxy_t:s0 tclass=capability permissive=0 
type=AVC msg=audit(05/30/2025 19:08:43.854:290) : avc:  denied  { sys_admin } for  pid=3361 comm=iio-sensor-prox capability=sys_admin  scontext=system_u:system_r:iiosensorproxy_t:s0 tcontext=system_u:system_r:iiosensorproxy_t:s0 tclass=capability permissive=0
Comment 5 Zdenek Pytela 2025-05-30 17:24:52 UTC 
It looks like if the service wanted to attach a bpf filter, but then the bpf capability should be requested.
It seems to be important that the kernel version plays a role.

Will you be able to install all needed debuginfo packages and gather stack trace?
https://fedoraproject.org/wiki/SELinux/Debugging#Advanced_debugging
https://fedoraproject.org/wiki/SELinux/Debugging#Using_perf_to_trace_all_system_denials


Ondrej, can you check what makes the difference between kernel 6.14.8 and 6.14.6?
Comment 6 madness742 2025-05-30 17:42:02 UTC 
Created attachment 2092248 [details]
Trace when connecting PS5 controller

I have followed the instructions to install the required tools (Advanced debugging section), then executed perf, connected the controller (USB) and shortly after pressed ^C.
Comment 7 Zdenek Pytela 2025-05-30 18:36:20 UTC 
I can only confirm it is setsockopt(), but I would need to have the same kernel and libraries to disclose the stack trace.

Can you check if the service, despite the denial, works properly and efficiently?
Comment 8 madness742 2025-05-30 19:47:31 UTC 
I have tested the functionality of the controller (USB/Bluetooth), and everything seems to be working as expected.

- Gyroscope
- Accelerometer
- Battery Level
- Speaker
- Rumble
- Lights
- Inputs
Comment 9 Zdenek Pytela 2025-06-02 08:26:39 UTC 
*** Bug 2369516 has been marked as a duplicate of this bug. ***
Comment 10 Zdenek Pytela 2025-06-02 08:26:52 UTC 
*** Bug 2369645 has been marked as a duplicate of this bug. ***
Comment 11 Ondrej Mosnáček 2025-06-10 08:08:06 UTC 
@madness742 Could you please try the last tracing method instead ("Using tracefs")?

https://fedoraproject.org/wiki/SELinux/Debugging#Using_tracefs
Comment 12 madness742 2025-06-10 11:51:57 UTC 
Created attachment 2093550 [details]
Tracefs when connecting PS5 controller (USB).

I have followed the instructions under "Using tracefs".
Comment 13 Rostislav Krasny 2025-06-10 15:56:26 UTC 
I've got this issue as well but found a workaround. After some update this error started appearing again and again after each boot/reboot of my laptop. A long time ago I disable Bluetooth on this computer using blueman-applet (usually appears on the try bar of my Cinnamon DE). A few minutes ago I enabled Bluetooth in the blueman-applet and rebooted again. This time I got no new error from SELinux. Then I disabled Bluetooth in blueman-applet again and rebooted yet another time. No error from SELinux this time as well. It looks like something related to Bluetooth wanted to do some one time operation, always failed in SELinux because Bluetooth was disabled and tried to do it again during each boot. Now it just doesn't try to do it again.

Following is is that old error from SELinux:

$ sealert -l fc5b43f3-67a3-4110-b6f4-d3faba344bfc
SELinux is preventing iio-sensor-prox from using the sys_admin capability.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that iio-sensor-prox should have the sys_admin capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'iio-sensor-prox' --raw | audit2allow -M my-iiosensorprox
# semodule -X 300 -i my-iiosensorprox.pp


Additional Information:
Source Context                system_u:system_r:iiosensorproxy_t:s0
Target Context                system_u:system_r:iiosensorproxy_t:s0
Target Objects                Unknown [ capability ]
Source                        iio-sensor-prox
Source Path                   iio-sensor-prox
Port                          <Unknown>
Host                          fedora
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-41.43-1.fc42.noarch
Local Policy RPM              selinux-policy-targeted-41.43-1.fc42.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     fedora
Platform                      Linux fedora 6.14.9-300.fc42.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Thu May 29 14:27:53 UTC 2025
                              x86_64
Alert Count                   30
First Seen                    2025-06-10 17:59:14 IDT
Last Seen                     2025-06-10 18:42:01 IDT
Local ID                      fc5b43f3-67a3-4110-b6f4-d3faba344bfc

Raw Audit Messages
type=AVC msg=audit(1749570121.825:119): avc:  denied  { sys_admin } for  pid=1186 comm="iio-sensor-prox" capability=21  scontext=system_u:system_r:iiosensorproxy_t:s0 tcontext=system_u:system_r:iiosensorproxy_t:s0 tclass=capability permissive=0


Hash: iio-sensor-prox,iiosensorproxy_t,iiosensorproxy_t,capability,sys_admin
Comment 14 Rostislav Krasny 2025-06-10 16:13:57 UTC 
Unfortunately my workaround is not reliable. After a few more reboots the above error from SELinux started to appear again.
Comment 15 Ondrej Mosnáček 2025-06-11 07:58:21 UTC 
Thanks for the backtrace, it allowed me to find where the capability check comes from. The cause is apparently commit [1] (or [2] in the 6.14 stable tree), which added capable(CAP_SYS_ADMIN) to decide whether to apply a Spectre mitigation to a JIT-compiled BPF filter. It shoudl have used bpf_capable() instead, which checks for CAP_BPF first, which domains using SO_ATTACH_FILTER should already have allowed or dontaudited.

I'll send a patch upstream to fix it.

[1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d4e89d212d401672e9cdfe825d947ee3a9fbe3f5
[2] https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-6.14.y&id=14e088f4aa9fca3f9d13d458dc0a138e7a3f771e
Comment 16 Ondrej Mosnáček 2025-06-11 11:13:39 UTC 
*** Bug 2369215 has been marked as a duplicate of this bug. ***
Comment 17 Zdenek Pytela 2025-06-12 07:50:04 UTC 
*** Bug 2372371 has been marked as a duplicate of this bug. ***
Comment 18 Zdenek Pytela 2025-06-12 07:50:22 UTC 
*** Bug 2370866 has been marked as a duplicate of this bug. ***
Comment 19 Zdenek Pytela 2025-06-18 11:55:41 UTC 
*** Bug 2373292 has been marked as a duplicate of this bug. ***
Comment 20 Zdenek Pytela 2025-07-02 07:25:38 UTC 
*** Bug 2375827 has been marked as a duplicate of this bug. ***
Comment 21 Mr. Beedell, Roke Julian Lockhart (RJLB) 2025-07-02 14:54:26 UTC 
*** Bug 2375909 has been marked as a duplicate of this bug. ***
Comment 22 Zdenek Pytela 2025-07-07 08:02:30 UTC 
*** Bug 2376564 has been marked as a duplicate of this bug. ***
Comment 23 Zdenek Pytela 2025-07-07 08:04:41 UTC 
*** Bug 2376694 has been marked as a duplicate of this bug. ***
Comment 24 Zdenek Pytela 2025-07-08 07:39:20 UTC 
*** Bug 2376932 has been marked as a duplicate of this bug. ***
Comment 25 Zdenek Pytela 2025-07-11 13:44:44 UTC 
*** Bug 2379501 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.