Description of problem: SELinux is preventing systemd-sleep from 'read' accesses on the file swap. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that systemd-sleep should be allowed read access on the swap file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'systemd-sleep' --raw | audit2allow -M my-systemdsleep # semodule -X 300 -i my-systemdsleep.pp Additional Information: Source Context system_u:system_r:init_t:s0 Target Context unconfined_u:object_r:swapfile_t:s0 Target Objects swap [ file ] Source systemd-sleep Source Path systemd-sleep Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.14.4-44.fc31.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 5.4.13-201.fc31.x86_64 #1 SMP Tue Jan 21 17:21:47 UTC 2020 x86_64 x86_64 Alert Count 2 First Seen 2020-01-31 22:33:05 EET Last Seen 2020-01-31 22:45:26 EET Local ID 3ac834e6-1ed0-4795-97c9-e7b14d0b96d5 Raw Audit Messages type=AVC msg=audit(1580503526.158:1166): avc: denied { read } for pid=55508 comm="systemd-sleep" name="swap" dev="dm-1" ino=2359597 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:swapfile_t:s0 tclass=file permissive=0 Hash: systemd-sleep,init_t,swapfile_t,file,read Version-Release number of selected component: selinux-policy-3.14.4-44.fc31.noarch Additional info: component: selinux-policy reporter: libreport-2.11.3 hashmarkername: setroubleshoot kernel: 5.4.14-200.fc31.x86_64 type: libreport
A PR has been created to address the issue: https://github.com/fedora-selinux/selinux-policy/pull/322
Unfortunately, automated testing of the scenario will be difficult, because successful start of the systemd-hybrid-sleep service leads to a hibernated / suspended machine, which cannot be easily woken up.
I found a way how to start the systemd-hybrid-sleep service in permissive mode, collect SELinux denials and avoid sleep/hibernation of the machine: # grep -i privatedev /usr/lib/systemd/system/systemd-hybrid-sleep.service PrivateDevices=yes # systemctl daemon-reload # Following SELinux denials appeared: ---- type=PROCTITLE msg=audit(02/04/2020 12:29:32.435:1713) : proctitle=/usr/lib/systemd/systemd-sleep hybrid-sleep type=PATH msg=audit(02/04/2020 12:29:32.435:1713) : item=0 name=/swapfile inode=465736 dev=fd:01 mode=file,644 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:swapfile_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(02/04/2020 12:29:32.435:1713) : cwd=/ type=SYSCALL msg=audit(02/04/2020 12:29:32.435:1713) : arch=x86_64 syscall=openat success=yes exit=5 a0=0xffffff9c a1=0x55f8c1ce0030 a2=O_RDONLY|O_NONBLOCK|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=5225 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-sleep exe=/usr/lib/systemd/systemd-sleep subj=system_u:system_r:init_t:s0 key=(null) type=AVC msg=audit(02/04/2020 12:29:32.435:1713) : avc: denied { open } for pid=5225 comm=systemd-sleep path=/swapfile dev="vda1" ino=465736 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:swapfile_t:s0 tclass=file permissive=1 type=AVC msg=audit(02/04/2020 12:29:32.435:1713) : avc: denied { read } for pid=5225 comm=systemd-sleep name=swapfile dev="vda1" ino=465736 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:swapfile_t:s0 tclass=file permissive=1 ---- type=PROCTITLE msg=audit(02/04/2020 12:29:32.435:1714) : proctitle=/usr/lib/systemd/systemd-sleep hybrid-sleep type=SYSCALL msg=audit(02/04/2020 12:29:32.435:1714) : arch=x86_64 syscall=ioctl success=yes exit=0 a0=0x5 a1=0xc020660b a2=0x55f8c1ce0110 a3=0x0 items=0 ppid=1 pid=5225 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-sleep exe=/usr/lib/systemd/systemd-sleep subj=system_u:system_r:init_t:s0 key=(null) type=AVC msg=audit(02/04/2020 12:29:32.435:1714) : avc: denied { ioctl } for pid=5225 comm=systemd-sleep path=/swapfile dev="vda1" ino=465736 ioctlcmd=0x660b scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:swapfile_t:s0 tclass=file permissive=1 ----
Following error message appears in the journal: systemd-sleep[5225]: Failed to write /sys/power/state: Operation not permitted as a result of adding the "PrivateDevices=yes" line into /usr/lib/systemd/system/systemd-hybrid-sleep.service file.
PR closed, a new domain likely needs to be added. Also changing priority, this bug only triggers when a swapfile is in place.
Is there any way I can add a domain by myself ? This bug still exists in the latest Fedora 31.
So this there no way to do Hibernation in Enforcing mode ?
This message is a reminder that Fedora 31 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora 31 on 2020-11-24. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '31'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 31 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Fedora 31 changed to end-of-life (EOL) status on 2020-11-24. Fedora 31 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.