Bug 2252796
| Summary: | SELinux is preventing systemd-sleep from 'add_name/write/read/setattr/create/' accesses on the dir /sys/firmware/efi/efivars. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | rodin-ia <i.a.rodin> |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
| Status: | CLOSED DUPLICATE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 39 | CC: | dwalsh, lvrabec, mmalik, nknazeko, omosnacek, pkoncity, vmojzis, zpytela |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-12-05 10:19:09 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
*** This bug has been marked as a duplicate of bug 2249928 *** |
An error 'Failed to set EFI variable HibernateLocation: Operation not allowed' occurred when trying to enter hibernate mode. The error occurred because the process does not have permissions: audit[3034]: AVC avc: denied { setattr } for pid=3034 comm="systemd-sleep" path="/sys/firmware/efi/efivars/HibernateLocation-8cf2644b-4b0b-428f-9387-6d876050dc> After granting access, hibernation worked. Access errors were also recorded when going into hibernation, but they did not cause any problems. AVC avc: denied { write } for pid=2594 comm="systemd-sleep" name="/" dev="efivarfs" ino=130 scontext=system_u:system_r:systemd_sleep_t:s0 tcontext> AVC avc: denied { add_name } for pid=2751 comm="systemd-sleep" name="HibernateLocation-8cf2644b-4b0b-428f-9387-6d87605050dc67" scontext=system_u:sys> AVC avc: denied { create } for pid=2720 comm="systemd-sleep" name="HibernateLocation-8cf2644b-4b0b-428f-9387-6d87605050dc67" scontext=system_u:syste> After fixing all the errors, an enabling policy was generated: ausearch -c 'systemd-sleep' --raw | audit2allow require { type efivarfs_t; type systemd_sleep_t; class file { create read setattr }; class dir { add_name write } } #============= systemd_sleep_t ============== #!!!! This avc is allowed in the current policy allow systemd_sleep_t efivarfs_t:dir { add_name write }; #!!!! This avc is allowed in the current policy allow systemd_sleep_t efivarfs_t:file { read setattr }; allow systemd_sleep_t efivarfs_t:file create; Pay attention to bug 2240320, there was a similar situation there, but in my case those rights were not enough. Reproducible: Always Steps to Reproduce: 1.Freshly installed f39 2.Creating a swap partition, and specifying it in fstab. 3.zram disabled 4.set kernel parameter resume=UUUID=XXXXXXXX, where XXXXXX is the UUID of the swap partition; 5.integrated "resume" module in initrd. 6.Mounted partition (user files) on second ssd via dolphin interface