Bug 1797543
Summary: | SELinux is preventing systemd-sleep from 'read' accesses on the file swap. | |||
---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Mai Ling <mailinglists35> | |
Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> | |
Status: | CLOSED EOL | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | |
Severity: | medium | Docs Contact: | ||
Priority: | medium | |||
Version: | 31 | CC: | adamkam, cxiaoyi, davdunc, dwalsh, grepl.miroslav, laurenrx, lvrabec, mmalik, plautrba, sreyan32, taocrismon, vmojzis, xiliang, zpytela | |
Target Milestone: | --- | Keywords: | Triaged | |
Target Release: | --- | |||
Hardware: | x86_64 | |||
OS: | Linux | |||
Whiteboard: | abrt_hash:53e89a306a93e6ee9c1ce7729345d59f7a449585dda41bba964e363736e6d850; | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | ||
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 1798872 1850177 (view as bug list) | Environment: | ||
Last Closed: | 2020-11-24 19:49:00 UTC | Type: | --- | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | 1812955 | |||
Bug Blocks: | 1850177, 1852533 |
Description
Mai Ling
2020-02-03 11:38:40 UTC
A PR has been created to address the issue: https://github.com/fedora-selinux/selinux-policy/pull/322 Unfortunately, automated testing of the scenario will be difficult, because successful start of the systemd-hybrid-sleep service leads to a hibernated / suspended machine, which cannot be easily woken up. I found a way how to start the systemd-hybrid-sleep service in permissive mode, collect SELinux denials and avoid sleep/hibernation of the machine: # grep -i privatedev /usr/lib/systemd/system/systemd-hybrid-sleep.service PrivateDevices=yes # systemctl daemon-reload # Following SELinux denials appeared: ---- type=PROCTITLE msg=audit(02/04/2020 12:29:32.435:1713) : proctitle=/usr/lib/systemd/systemd-sleep hybrid-sleep type=PATH msg=audit(02/04/2020 12:29:32.435:1713) : item=0 name=/swapfile inode=465736 dev=fd:01 mode=file,644 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:swapfile_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(02/04/2020 12:29:32.435:1713) : cwd=/ type=SYSCALL msg=audit(02/04/2020 12:29:32.435:1713) : arch=x86_64 syscall=openat success=yes exit=5 a0=0xffffff9c a1=0x55f8c1ce0030 a2=O_RDONLY|O_NONBLOCK|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=5225 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-sleep exe=/usr/lib/systemd/systemd-sleep subj=system_u:system_r:init_t:s0 key=(null) type=AVC msg=audit(02/04/2020 12:29:32.435:1713) : avc: denied { open } for pid=5225 comm=systemd-sleep path=/swapfile dev="vda1" ino=465736 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:swapfile_t:s0 tclass=file permissive=1 type=AVC msg=audit(02/04/2020 12:29:32.435:1713) : avc: denied { read } for pid=5225 comm=systemd-sleep name=swapfile dev="vda1" ino=465736 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:swapfile_t:s0 tclass=file permissive=1 ---- type=PROCTITLE msg=audit(02/04/2020 12:29:32.435:1714) : proctitle=/usr/lib/systemd/systemd-sleep hybrid-sleep type=SYSCALL msg=audit(02/04/2020 12:29:32.435:1714) : arch=x86_64 syscall=ioctl success=yes exit=0 a0=0x5 a1=0xc020660b a2=0x55f8c1ce0110 a3=0x0 items=0 ppid=1 pid=5225 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-sleep exe=/usr/lib/systemd/systemd-sleep subj=system_u:system_r:init_t:s0 key=(null) type=AVC msg=audit(02/04/2020 12:29:32.435:1714) : avc: denied { ioctl } for pid=5225 comm=systemd-sleep path=/swapfile dev="vda1" ino=465736 ioctlcmd=0x660b scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:swapfile_t:s0 tclass=file permissive=1 ---- Following error message appears in the journal: systemd-sleep[5225]: Failed to write /sys/power/state: Operation not permitted as a result of adding the "PrivateDevices=yes" line into /usr/lib/systemd/system/systemd-hybrid-sleep.service file. PR closed, a new domain likely needs to be added. Also changing priority, this bug only triggers when a swapfile is in place. Is there any way I can add a domain by myself ? This bug still exists in the latest Fedora 31. So this there no way to do Hibernation in Enforcing mode ? This message is a reminder that Fedora 31 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora 31 on 2020-11-24. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '31'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 31 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. Fedora 31 changed to end-of-life (EOL) status on 2020-11-24. Fedora 31 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed. |