Bug 2324950 - AVC avc: denied { unlink } for pid=732 comm="systemd-hiberna" name="HibernateLocation-8cf2644b-4b0b-428f-9387-6d876050dc67" dev="efivarfs" ino=9308 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=0
Summary: AVC avc: denied { unlink } for pid=732 comm="systemd-hiberna" name="Hibern...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 42
Hardware: Unspecified
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-11-09 22:19 UTC by Steve
Modified: 2025-11-20 04:25 UTC (History)
7 users (show)

Fixed In Version: selinux-policy-42.1-1.fc42
Clone Of:
Environment:
Last Closed: 2025-07-22 01:11:34 UTC
Type: ---
Embargoed:
zpytela: mirror+

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github fedora-selinux selinux-policy pull 2620 0 None Draft Confine systemd-hibernate 2025-04-03 08:52:44 UTC
Red Hat Issue Tracker FC-1661 0 None None None 2025-05-14 14:25:45 UTC

Description Steve 2024-11-09 22:19:43 UTC 
These AVCs occurred after attempting to hibernate on bare metal with:

$ systemctl hibernate

Hibernation appeared to occur, but the system restarted instead of waking.

$ journalctl --no-hostname -b -1 | fgrep AVC

Nov 09 21:35:29 audit[732]: AVC avc:  denied  { unlink } for  pid=732 comm="systemd-hiberna" name="HibernateLocation-8cf2644b-4b0b-428f-9387-6d876050dc67" dev="efivarfs" ino=9308 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=0

Nov 09 21:35:30 audit[1038]: AVC avc:  denied  { unlink } for  pid=1038 comm="systemd-hiberna" name="HibernateLocation-8cf2644b-4b0b-428f-9387-6d876050dc67" dev="efivarfs" ino=9308 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=0

A suitable swap partition is allocated, but not encrypted:

$ journalctl --no-hostname -b -1 | fgrep 'swap on /dev/sdc4'
Nov 09 21:35:30 kernel: Adding 31248380k swap on /dev/sdc4.  Priority:-2 extents:1 across:31248380k SS


Reproducible: Always




$ rpm -q selinux-policy systemd
selinux-policy-41.24-1.fc42.noarch
systemd-257~rc1-2.fc42.x86_64

$ uname -r
6.12.0-0.rc6.20241108git906bd684e4b1.55.fc42.x86_64
Comment 1 Steve 2024-11-11 19:50:22 UTC 
I believe this AVC occurs when systemd-hibernate-clear.service runs:

$ journalctl --no-hostname -b -1 | egrep -n 'systemd-hibernate-clear.service|avc'
1084:Nov 11 19:12:18 systemd[1]: Starting systemd-hibernate-clear.service - Clear Stale Hibernate Storage Info...
1090:Nov 11 19:12:18 kernel: audit: type=1400 audit(1731352338.446:3): avc:  denied  { unlink } for  pid=730 comm="systemd-hiberna" name="HibernateLocation-8cf2644b-4b0b-428f-9387-6d876050dc67" dev="efivarfs" ino=10332 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1
1114:Nov 11 19:12:18 audit[730]: AVC avc:  denied  { unlink } for  pid=730 comm="systemd-hiberna" name="HibernateLocation-8cf2644b-4b0b-428f-9387-6d876050dc67" dev="efivarfs" ino=10332 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=1
1143:Nov 11 19:12:18 systemd[1]: Finished systemd-hibernate-clear.service - Clear Stale Hibernate Storage Info.
3137:Nov 11 19:26:55 systemd[1]: systemd-hibernate-clear.service: Deactivated successfully.
3138:Nov 11 19:26:55 systemd[1]: Stopped systemd-hibernate-clear.service - Clear Stale Hibernate Storage Info.

The file being unlinked, HibernateLocation-8cf2644b-4b0b-428f-9387-6d876050dc67, would be in /sys/firmware/efi/efivars/.

NB: selinux was running in permissive mode.

$ rpm -q selinux-policy systemd
selinux-policy-41.24-1.fc42.noarch
systemd-257~rc1-2.fc42.x86_64

$ uname -r
6.12.0-0.rc6.20241108git906bd684e4b1.55.fc42.x86_64
Comment 2 Steve 2024-11-11 20:14:10 UTC 
An earlier log confirms the path:

$ journalctl --no-hostname -b -7 | fgrep -m1 '/sys/firmware'
Nov 11 18:20:36 systemd[1]: systemd-hibernate-clear.service - Clear Stale Hibernate Storage Info was skipped because of an unmet condition check (ConditionPathExists=/sys/firmware/efi/efivars/HibernateLocation-8cf2644b-4b0b-428f-9387-6d876050dc67).
Comment 3 Aoife Moloney 2025-02-26 13:15:32 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora Linux 42 development cycle.
Changing version to 42.
Comment 4 Zdenek Pytela 2025-04-03 08:52:44 UTC 
Steve,

I started with confining the hibernate service. Will you be able to test the copr build and gather additional denials? The domain is set to permissive mode not to block any action.

https://github.com/fedora-selinux/selinux-policy/pull/2620
checks - > rpm build rawhide/42
Comment 5 Fedora Update System 2025-07-15 14:58:27 UTC 
FEDORA-2025-42c191342a (selinux-policy-42.1-1.fc42) has been submitted as an update to Fedora 42.
https://bodhi.fedoraproject.org/updates/FEDORA-2025-42c191342a
Comment 6 Fedora Update System 2025-07-16 01:40:37 UTC 
FEDORA-2025-42c191342a has been pushed to the Fedora 42 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-42c191342a`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-42c191342a

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 7 Fedora Update System 2025-07-22 01:11:34 UTC 
FEDORA-2025-42c191342a (selinux-policy-42.1-1.fc42) has been pushed to the Fedora 42 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 8 Red Hat Bugzilla 2025-11-20 04:25:04 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days
Note You need to log in before you can comment on or make changes to this bug.