Bug 2324950
| Summary: | AVC avc: denied { unlink } for pid=732 comm="systemd-hiberna" name="HibernateLocation-8cf2644b-4b0b-428f-9387-6d876050dc67" dev="efivarfs" ino=9308 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=0 | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Steve <y9t7sypezp> |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 42 | CC: | dwalsh, lvrabec, mmalik, omosnacek, pkoncity, vmojzis, zpytela |
| Target Milestone: | --- | Flags: | zpytela:
mirror+
|
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-42.1-1.fc42 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2025-07-22 01:11:34 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
I believe this AVC occurs when systemd-hibernate-clear.service runs:
$ journalctl --no-hostname -b -1 | egrep -n 'systemd-hibernate-clear.service|avc'
1084:Nov 11 19:12:18 systemd[1]: Starting systemd-hibernate-clear.service - Clear Stale Hibernate Storage Info...
1090:Nov 11 19:12:18 kernel: audit: type=1400 audit(1731352338.446:3): avc: denied { unlink } for pid=730 comm="systemd-hiberna" name="HibernateLocation-8cf2644b-4b0b-428f-9387-6d876050dc67" dev="efivarfs" ino=10332 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1
1114:Nov 11 19:12:18 audit[730]: AVC avc: denied { unlink } for pid=730 comm="systemd-hiberna" name="HibernateLocation-8cf2644b-4b0b-428f-9387-6d876050dc67" dev="efivarfs" ino=10332 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1
1143:Nov 11 19:12:18 systemd[1]: Finished systemd-hibernate-clear.service - Clear Stale Hibernate Storage Info.
3137:Nov 11 19:26:55 systemd[1]: systemd-hibernate-clear.service: Deactivated successfully.
3138:Nov 11 19:26:55 systemd[1]: Stopped systemd-hibernate-clear.service - Clear Stale Hibernate Storage Info.
The file being unlinked, HibernateLocation-8cf2644b-4b0b-428f-9387-6d876050dc67, would be in /sys/firmware/efi/efivars/.
NB: selinux was running in permissive mode.
$ rpm -q selinux-policy systemd
selinux-policy-41.24-1.fc42.noarch
systemd-257~rc1-2.fc42.x86_64
$ uname -r
6.12.0-0.rc6.20241108git906bd684e4b1.55.fc42.x86_64
An earlier log confirms the path: $ journalctl --no-hostname -b -7 | fgrep -m1 '/sys/firmware' Nov 11 18:20:36 systemd[1]: systemd-hibernate-clear.service - Clear Stale Hibernate Storage Info was skipped because of an unmet condition check (ConditionPathExists=/sys/firmware/efi/efivars/HibernateLocation-8cf2644b-4b0b-428f-9387-6d876050dc67). This bug appears to have been reported against 'rawhide' during the Fedora Linux 42 development cycle. Changing version to 42. Steve, I started with confining the hibernate service. Will you be able to test the copr build and gather additional denials? The domain is set to permissive mode not to block any action. https://github.com/fedora-selinux/selinux-policy/pull/2620 checks - > rpm build rawhide/42 FEDORA-2025-42c191342a (selinux-policy-42.1-1.fc42) has been submitted as an update to Fedora 42. https://bodhi.fedoraproject.org/updates/FEDORA-2025-42c191342a FEDORA-2025-42c191342a has been pushed to the Fedora 42 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-42c191342a` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-42c191342a See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2025-42c191342a (selinux-policy-42.1-1.fc42) has been pushed to the Fedora 42 stable repository. If problem still persists, please make note of it in this bug report. The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days |
These AVCs occurred after attempting to hibernate on bare metal with: $ systemctl hibernate Hibernation appeared to occur, but the system restarted instead of waking. $ journalctl --no-hostname -b -1 | fgrep AVC Nov 09 21:35:29 audit[732]: AVC avc: denied { unlink } for pid=732 comm="systemd-hiberna" name="HibernateLocation-8cf2644b-4b0b-428f-9387-6d876050dc67" dev="efivarfs" ino=9308 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=0 Nov 09 21:35:30 audit[1038]: AVC avc: denied { unlink } for pid=1038 comm="systemd-hiberna" name="HibernateLocation-8cf2644b-4b0b-428f-9387-6d876050dc67" dev="efivarfs" ino=9308 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=0 A suitable swap partition is allocated, but not encrypted: $ journalctl --no-hostname -b -1 | fgrep 'swap on /dev/sdc4' Nov 09 21:35:30 kernel: Adding 31248380k swap on /dev/sdc4. Priority:-2 extents:1 across:31248380k SS Reproducible: Always $ rpm -q selinux-policy systemd selinux-policy-41.24-1.fc42.noarch systemd-257~rc1-2.fc42.x86_64 $ uname -r 6.12.0-0.rc6.20241108git906bd684e4b1.55.fc42.x86_64