Fedora Account System
Red Hat Associate
Red Hat Customer
TLDR: after upgrading F39 to F40 systemd-sleep cannot longer hibernate due to the "access denied" to the swap partition ======================================================================== The affected setup is as follows (worked correctly in F39 and before) * swap partition on luks volume * no mountpoint * selinux context system_u:object_r:fixed_disk_device_t:s0 (confirmed by `semanage fcontext -l | grep -e /dev/dm`) Now, systemd uses "system_u:system_r:systemd_sleep_t:s0" and as a result it cannot longer access swap partition. It could in F39, but cannot in F40. ======================================================================== journald produces the following ``` Apr 29 22:33:48 Matt-X1C systemd[1]: Starting systemd-hibernate.service - System Hibernate... Apr 29 22:33:48 Matt-X1C systemd-sleep[15861]: Failed to find location to hibernate to: Permission denied Apr 29 22:33:48 Matt-X1C audit[15861]: AVC avc: denied { read } for pid=15861 comm="systemd-sleep" name="dm-2" dev="devtmpfs" ino=512 scontext=system_u:system_r:systemd_sleep_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=0 Apr 29 22:33:48 Matt-X1C systemd[1]: systemd-hibernate.service: Main process exited, code=exited, status=1/FAILURE Apr 29 22:33:48 Matt-X1C systemd[1]: systemd-hibernate.service: Failed with result 'exit-code'. Apr 29 22:33:48 Matt-X1C systemd[1]: Failed to start systemd-hibernate.service - System Hibernate. ``` and selinux troubleshooter what's below ``` SELinux is preventing systemd-sleep from read access on the blk_file dm-2. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that systemd-sleep should be allowed read access on the dm-2 blk_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'systemd-sleep' --raw | audit2allow -M my-systemdsleep # semodule -X 300 -i my-systemdsleep.pp Additional Information: Source Context system_u:system_r:systemd_sleep_t:s0 Target Context system_u:object_r:fixed_disk_device_t:s0 Target Objects dm-2 [ blk_file ] Source systemd-sleep Source Path systemd-sleep Port <Unknown> Host Matt-X1C Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-40.16-1.fc40.noarch Local Policy RPM selinux-policy-targeted-40.16-1.fc40.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name Matt-X1C Platform Linux Matt-X1C 6.8.7-300.fc40.x86_64 #1 SMP PREEMPT_DYNAMIC Wed Apr 17 19:21:08 UTC 2024 x86_64 Alert Count 4 First Seen 2024-04-26 17:23:08 CEST Last Seen 2024-04-29 22:33:48 CEST Local ID 372f6fee-a3be-488b-a3e9-d5d272b5d6b6 Raw Audit Messages type=AVC msg=audit(1714422828.819:436): avc: denied { read } for pid=15861 comm="systemd-sleep" name="dm-2" dev="devtmpfs" ino=512 scontext=system_u:system_r:systemd_sleep_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=0 Hash: systemd-sleep,systemd_sleep_t,fixed_disk_device_t,blk_file,read ``` Reproducible: Always
*** This bug has been marked as a duplicate of bug 2273959 ***