Hi, I've been using hibernate to a swap partition on a Lenovo X250 for years. After a dnf upgrade to F40 beta, hibernation breaks with the following log entries: audit[5317]: AVC avc: denied { read } for pid=5317 comm="systemd-sleep" name="dm-1" dev="devtmpfs" ino=423 scontext=system_u:system_r:systemd_sleep_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=0 systemd-sleep[5317]: Failed to find location to hibernate to: Permission denied systemd[1]: systemd-hibernate.service: Main process exited, code=exited, status=1/FAILURE systemd[1]: systemd-hibernate.service: Failed with result 'exit-code'. systemd[1]: Failed to start systemd-hibernate.service - System Hibernate. systemd[1]: Dependency failed for hibernate.target - System Hibernation. systemd[1]: hibernate.target: Job hibernate.target/start failed with result 'dependency'. audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-hibernate comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed' I haven't been able to find out how to give/restore the required permissions. Reproducible: Always Steps to Reproduce: 1. Install F39 2. Set up hibernation to swap partition 3. dnf upgrade to F40 beta Actual Results: hibernation fails due to selinux permissions Expected Results: successful hibernation
Christian, Can you check if adding the reported permission is sufficient? # cat local_sleep.cil (allow systemd_sleep_t fixed_disk_device_t (blk_file (read))) # semodule -i local_sleep.cil <reproduce> # semodule -r local_sleep
This is currently in the policy: 1618 # systemd-sleep needs to getattr swap partitions 1619 storage_getattr_fixed_disk_dev(systemd_sleep_t) 1620 storage_getattr_removable_dev(systemd_sleep_t) I wonder when it started not to be enough since nobody reported a related problem since 2021.
I'm not very familiar with selinux. I found other .cil files in /usr/share/udica/templates, so I created local_sleep.cil with this one line in there and ran semodule -i local_sleep.cil. This did not change things, the error remains the same.
I believe the content of the cil file matches the reported denial, therefore there should not be the same denial again. Can you confirm there is again the same avc, or a different one, or just the service failing?
with the file in place, the error is: audit[10498]: AVC avc: denied { open } for pid=10498 comm="systemd-sleep" path="/dev/dm-1" dev="devtmpfs" ino=423 scontext=system_u:system_r:systemd_sleep_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=0 systemd-sleep[10498]: Failed to find location to hibernate to: Permission denied systemd[1]: systemd-hibernate.service: Main process exited, code=exited, status=1/FAILURE systemd[1]: systemd-hibernate.service: Failed with result 'exit-code'. systemd[1]: Failed to start systemd-hibernate.service - System Hibernate. systemd[1]: Dependency failed for hibernate.target - System Hibernation. systemd[1]: hibernate.target: Job hibernate.target/start failed with result 'dependency'. audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-hibernate comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed' which differs in one detail from the previous one: ****** audit[5317]: AVC avc: denied { read } for pid=5317 comm="systemd-sleep" name="dm-1" dev="devtmpfs" ino=423 scontext=system_u:system_r:systemd_sleep_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=0 so I modified the rule to read (allow systemd_sleep_t fixed_disk_device_t (blk_file (open read))) and hibernate works again! thank you very much!
This is exactly what I needed to know, thank you for your cooperation.
FEDORA-2024-57cdb8429c (selinux-policy-40.17-1.fc40) has been submitted as an update to Fedora 40. https://bodhi.fedoraproject.org/updates/FEDORA-2024-57cdb8429c
FEDORA-2024-57cdb8429c has been pushed to the Fedora 40 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-57cdb8429c` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-57cdb8429c See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
*** Bug 2277489 has been marked as a duplicate of this bug. ***
FEDORA-2024-57cdb8429c (selinux-policy-40.17-1.fc40) has been pushed to the Fedora 40 stable repository. If problem still persists, please make note of it in this bug report.
*** Bug 2277933 has been marked as a duplicate of this bug. ***