Bug 2273959
| Summary: | upgrade to F40 beta breaks hibernation: selinux denies access | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Christian Herzog <daduke> |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 40 | CC: | dtardon, dwalsh, fedoraproject, filbranden, knazekovan, lnykryn, lvrabec, matthias.andree, mko, mmalik, msekleta, omosnacek, perfected_deskbound045, pkoncity, ryncsn, systemd-maint, vmojzis, yuwatana, zbyszek, zpytela |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-40.17-1.fc40 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2024-04-30 01:04:11 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Christian, Can you check if adding the reported permission is sufficient? # cat local_sleep.cil (allow systemd_sleep_t fixed_disk_device_t (blk_file (read))) # semodule -i local_sleep.cil <reproduce> # semodule -r local_sleep This is currently in the policy: 1618 # systemd-sleep needs to getattr swap partitions 1619 storage_getattr_fixed_disk_dev(systemd_sleep_t) 1620 storage_getattr_removable_dev(systemd_sleep_t) I wonder when it started not to be enough since nobody reported a related problem since 2021. I'm not very familiar with selinux. I found other .cil files in /usr/share/udica/templates, so I created local_sleep.cil with this one line in there and ran semodule -i local_sleep.cil. This did not change things, the error remains the same. I believe the content of the cil file matches the reported denial, therefore there should not be the same denial again. Can you confirm there is again the same avc, or a different one, or just the service failing? with the file in place, the error is:
audit[10498]: AVC avc: denied { open } for pid=10498 comm="systemd-sleep" path="/dev/dm-1" dev="devtmpfs" ino=423 scontext=system_u:system_r:systemd_sleep_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=0
systemd-sleep[10498]: Failed to find location to hibernate to: Permission denied
systemd[1]: systemd-hibernate.service: Main process exited, code=exited, status=1/FAILURE
systemd[1]: systemd-hibernate.service: Failed with result 'exit-code'.
systemd[1]: Failed to start systemd-hibernate.service - System Hibernate.
systemd[1]: Dependency failed for hibernate.target - System Hibernation.
systemd[1]: hibernate.target: Job hibernate.target/start failed with result 'dependency'.
audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-hibernate comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
which differs in one detail from the previous one:
******
audit[5317]: AVC avc: denied { read } for pid=5317 comm="systemd-sleep" name="dm-1" dev="devtmpfs" ino=423 scontext=system_u:system_r:systemd_sleep_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=0
so I modified the rule to read
(allow systemd_sleep_t fixed_disk_device_t (blk_file (open read)))
and hibernate works again!
thank you very much!
This is exactly what I needed to know, thank you for your cooperation. FEDORA-2024-57cdb8429c (selinux-policy-40.17-1.fc40) has been submitted as an update to Fedora 40. https://bodhi.fedoraproject.org/updates/FEDORA-2024-57cdb8429c FEDORA-2024-57cdb8429c has been pushed to the Fedora 40 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-57cdb8429c` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-57cdb8429c See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. *** Bug 2277489 has been marked as a duplicate of this bug. *** FEDORA-2024-57cdb8429c (selinux-policy-40.17-1.fc40) has been pushed to the Fedora 40 stable repository. If problem still persists, please make note of it in this bug report. *** Bug 2277933 has been marked as a duplicate of this bug. *** How did you manage Hinernating? I can't. I got an error. : https://discussion.fedoraproject.org/t/i-applied-hibernation-for-fedora-41-hibernate-is-not-working/135537 |
Hi, I've been using hibernate to a swap partition on a Lenovo X250 for years. After a dnf upgrade to F40 beta, hibernation breaks with the following log entries: audit[5317]: AVC avc: denied { read } for pid=5317 comm="systemd-sleep" name="dm-1" dev="devtmpfs" ino=423 scontext=system_u:system_r:systemd_sleep_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=0 systemd-sleep[5317]: Failed to find location to hibernate to: Permission denied systemd[1]: systemd-hibernate.service: Main process exited, code=exited, status=1/FAILURE systemd[1]: systemd-hibernate.service: Failed with result 'exit-code'. systemd[1]: Failed to start systemd-hibernate.service - System Hibernate. systemd[1]: Dependency failed for hibernate.target - System Hibernation. systemd[1]: hibernate.target: Job hibernate.target/start failed with result 'dependency'. audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-hibernate comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed' I haven't been able to find out how to give/restore the required permissions. Reproducible: Always Steps to Reproduce: 1. Install F39 2. Set up hibernation to swap partition 3. dnf upgrade to F40 beta Actual Results: hibernation fails due to selinux permissions Expected Results: successful hibernation