On Mon, Apr 13, 2020 at 6:56 PM Sreyan Chakravarty <sreya...@gmail.com> wrote:
> I have just configured a 8GB swap file on my Fedora 31 laptop. But it > seems that SELinux is blocking access to the swap file. > > SELinux is preventing systemd-sleep from read access on the file > fedora.swap. > > ***** Plugin catchall (100. confidence) suggests > ************************** > > If you believe that systemd-sleep should be allowed read access on the > fedora.swap file by default. > Then you should report this as a bug. > You can generate a local policy module to allow this access. > Do > allow this access for now by executing: > # ausearch -c 'systemd-sleep' --raw | audit2allow -M my-systemdsleep > # semodule -X 300 -i my-systemdsleep.pp > > Additional Information: > Source Context system_u:system_r:init_t:s0 > Target Context unconfined_u:object_r:swapfile_t:s0 > Target Objects fedora.swap [ file ] > Source systemd-sleep > Source Path systemd-sleep > Port <Unknown> > Host localhost.HPNotebook > Source RPM Packages > Target RPM Packages > SELinux Policy RPM selinux-policy-3.14.4-50.fc31.noarch > Local Policy RPM selinux-policy-targeted-3.14.4-50.fc31.noarch > Selinux Enabled True > Policy Type targeted > Enforcing Mode Enforcing > Host Name localhost.HPNotebook > Platform Linux localhost.HPNotebook > 5.5.15-200.fc31.x86_64 > #1 SMP Thu Apr 2 19:16:17 UTC 2020 x86_64 > x86_64 > Alert Count 1 > First Seen 2020-04-13 21:12:22 IST > Last Seen 2020-04-13 21:12:22 IST > Local ID 39955636-b570-49ae-9286-ae92b49dc1c7 > > Raw Audit Messages > type=AVC msg=audit(1586792542.56:418): avc: denied { read } for > pid=5603 comm="systemd-sleep" name="fedora.swap" dev="dm-1" ino=13 > scontext=system_u:system_r:init_t:s0 > tcontext=unconfined_u:object_r:swapfile_t:s0 tclass=file permissive=0 > > > Hash: systemd-sleep,init_t,swapfile_t,file,read > > -- > > The above is the message I got from the SELinux trouble shooter. > > This is the screenshot of the problem: https://imgur.com/a/1x55clI > > What can I do ? > > I don't know a whole lot about SELinux, do I have to add a label or > something? > Hi, There has already been reported a bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1797543 A new domain is needed to confine systemd-sleep. As a temporary workaround, you can create a file with the following content: (allow init_t swapfile_t (file (getattr open read ioctl lock))) insert as a custom policy module: semodule -i local_init_swapfile.cil and then remove it once the policy is updated. > Please help. > > Thanks. > Regards, > Sreyan Chakravarty > _______________________________________________ > users mailing list -- users@lists.fedoraproject.org > To unsubscribe send an email to users-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org > -- Zdenek Pytela Security controls team, sst_platform_security
_______________________________________________ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org