Bug 2252796

Summary: SELinux is preventing systemd-sleep from 'add_name/write/read/setattr/create/' accesses on the dir /sys/firmware/efi/efivars.
Product: [Fedora] Fedora Reporter: rodin-ia <i.a.rodin>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 39CC: dwalsh, lvrabec, mmalik, nknazeko, omosnacek, pkoncity, vmojzis, zpytela
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-12-05 10:19:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description rodin-ia 2023-12-04 18:07:14 UTC
An error 'Failed to set EFI variable HibernateLocation: Operation not allowed' occurred when trying to enter hibernate mode.

The error occurred because the process does not have permissions:
audit[3034]: AVC avc: denied { setattr } for pid=3034 comm="systemd-sleep" path="/sys/firmware/efi/efivars/HibernateLocation-8cf2644b-4b0b-428f-9387-6d876050dc>

After granting access, hibernation worked.
Access errors were also recorded when going into hibernation, but they did not cause any problems. 
AVC avc: denied { write } for pid=2594 comm="systemd-sleep" name="/" dev="efivarfs" ino=130 scontext=system_u:system_r:systemd_sleep_t:s0 tcontext>

AVC avc: denied { add_name } for pid=2751 comm="systemd-sleep" name="HibernateLocation-8cf2644b-4b0b-428f-9387-6d87605050dc67" scontext=system_u:sys>

AVC avc: denied { create } for pid=2720 comm="systemd-sleep" name="HibernateLocation-8cf2644b-4b0b-428f-9387-6d87605050dc67" scontext=system_u:syste>

After fixing all the errors, an enabling policy was generated:
ausearch -c 'systemd-sleep' --raw | audit2allow 

require {
	type efivarfs_t;
	type systemd_sleep_t;
	class file { create read setattr };
	class dir { add_name write }
}
#============= systemd_sleep_t ==============
#!!!! This avc is allowed in the current policy
allow systemd_sleep_t efivarfs_t:dir { add_name write };
#!!!! This avc is allowed in the current policy
allow systemd_sleep_t efivarfs_t:file { read setattr };
allow systemd_sleep_t efivarfs_t:file create;

Pay attention to bug 2240320, there was a similar situation there, but in my case those rights were not enough.

Reproducible: Always

Steps to Reproduce:
1.Freshly installed f39
2.Creating a swap partition, and specifying it in fstab.
3.zram disabled
4.set kernel parameter resume=UUUID=XXXXXXXX, where XXXXXX is the UUID of the swap partition;
5.integrated "resume" module in initrd.
6.Mounted partition (user files) on second ssd via dolphin interface

Comment 1 Zdenek Pytela 2023-12-05 10:19:09 UTC

*** This bug has been marked as a duplicate of bug 2249928 ***