Description of problem: When selinux is enabled using a swap file will fail unless the file is labeled swapfile_t.
Actually it is not enough. After labeling the problem remains: root@kepler ~]# ls -Z /swapfile -rw-r--r-- root root system_u:object_r:swapfile_t /swapfile the warning in dmesg is still there: audit(1140109455.801:6): avc: denied { read } for pid=2165 comm="swapon" name="swapfile" dev=sda2 ino=67052 scontext=system_u:system_r:fsadm_t:s0 tcontext=system_u:object_r:swapfile_t:s0 tclass=file audit(1140109455.810:7): avc: denied { write } for pid=2165 comm="swapon" name="swapfile" dev=sda2 ino=67052 scontext=system_u:system_r:fsadm_t:s0 tcontext=system_u:object_r:swapfile_t:s0 tclass=file
Fixed policy errors in 2.2.19-2, but still need mkswap to label correctly.
# ls -Z ~/swapfile -rw-r--r-- root root /root/swapfile # ./mkswap ~/swapfile Setting up swapspace version 1, size = 67104 kB # ls -Z ~/swapfile -rw-r--r-- root root swapfile_t /root/swapfile The patch will be available in the util-linux >= 2.13-0.16 package.
This patch is broken. If selinux is disabled, it still tries to label. I'd suggest adding "&& is_selinux_enabled()" to the if statement doing the S_ISREG(). I also get an error saying "unable to relabel file to swap_t: invalid argument". Still looking into where this is coming from. You might look at newrole or fixfiles for example relabeling code. I have a suspicion that simply feeding it the type is not enough, a full context has to be computed. The patch also needs #ifdef HAVE_LIBSELINUX added around the selinux pieces.
It works and it should be works if selinux is disabled (my box with selinux=0 in grub.conf): # ./mkswap ~/swapfile Setting up swapspace version 1, size = 67104 kB # ls -Z ~/swapfile -rw-r--r-- root root swapfile_t /root/swapfile # getenforce Disabled I think set label (xattr) to file is independent on selinux mode. The patch is based on code from setfiles and restorecon from policycoreutils where all is done by lsetfilecon(). I have no idea if we need something like security_compute_relabel(). Daniel?
This is on my system: [root ~]# !dd dd if=/dev/zero of=fs/swap bs=1024 count=8192 8192+0 records in 8192+0 records out 8388608 bytes (8.4 MB) copied, 0.191322 seconds, 43.8 MB/s [root ~]# mkswap fs/swap Setting up swapspace version 1, size = 8384 kB mkswap: unable to relabel fs/swap to swapfile_t: Invalid argument [root ~]# rpm -q util-linux util-linux-2.13-0.16
ah.. I probably found a solution in the chcon command code. I have to compute the context and swapfile_t should be only "type" part ot the context. Steve thanks!
Thanks for looking at this. Adding to FC5 blocker since installer may need this.
Fixed (util-linux-2.13-0.17). $ ls -Z /tmp/swapfile -rw-rw-r-- kzak kzak user_u:object_r:tmp_t /tmp/swapfile $ ./mkswap /tmp/swapfile Setting up swapspace version 1, size = 6705 kB $ ls -Z /tmp/swapfile -rw-rw-r-- kzak kzak user_u:object_r:swapfile_t /tmp/swapfile
OK, I just checked it and it works much better. One last question...in the fprintf() error messages, do you need to add the _( ) stuff for internationalization? Thanks for fixing this!