On Mon, Apr 13, 2020 at 6:56 PM Sreyan Chakravarty <sreya...@gmail.com>
wrote:
> I have just configured a 8GB swap file on my Fedora 31 laptop. But it
> seems that SELinux is blocking access to the swap file.
>
> SELinux is preventing systemd-sleep from read access on the file
> fedora.swap.
>
> ***** Plugin catchall (100. confidence) suggests
> **************************
>
> If you believe that systemd-sleep should be allowed read access on the
> fedora.swap file by default.
> Then you should report this as a bug.
> You can generate a local policy module to allow this access.
> Do
> allow this access for now by executing:
> # ausearch -c 'systemd-sleep' --raw | audit2allow -M my-systemdsleep
> # semodule -X 300 -i my-systemdsleep.pp
>
> Additional Information:
> Source Context system_u:system_r:init_t:s0
> Target Context unconfined_u:object_r:swapfile_t:s0
> Target Objects fedora.swap [ file ]
> Source systemd-sleep
> Source Path systemd-sleep
> Port <Unknown>
> Host localhost.HPNotebook
> Source RPM Packages
> Target RPM Packages
> SELinux Policy RPM selinux-policy-3.14.4-50.fc31.noarch
> Local Policy RPM selinux-policy-targeted-3.14.4-50.fc31.noarch
> Selinux Enabled True
> Policy Type targeted
> Enforcing Mode Enforcing
> Host Name localhost.HPNotebook
> Platform Linux localhost.HPNotebook
> 5.5.15-200.fc31.x86_64
> #1 SMP Thu Apr 2 19:16:17 UTC 2020 x86_64
> x86_64
> Alert Count 1
> First Seen 2020-04-13 21:12:22 IST
> Last Seen 2020-04-13 21:12:22 IST
> Local ID 39955636-b570-49ae-9286-ae92b49dc1c7
>
> Raw Audit Messages
> type=AVC msg=audit(1586792542.56:418): avc: denied { read } for
> pid=5603 comm="systemd-sleep" name="fedora.swap" dev="dm-1" ino=13
> scontext=system_u:system_r:init_t:s0
> tcontext=unconfined_u:object_r:swapfile_t:s0 tclass=file permissive=0
>
>
> Hash: systemd-sleep,init_t,swapfile_t,file,read
>
> --
>
> The above is the message I got from the SELinux trouble shooter.
>
> This is the screenshot of the problem: https://imgur.com/a/1x55clI
>
> What can I do ?
>
> I don't know a whole lot about SELinux, do I have to add a label or
> something?
>
Hi,
There has already been reported a bugzilla:
https://bugzilla.redhat.com/show_bug.cgi?id=1797543
A new domain is needed to confine systemd-sleep. As a temporary workaround,
you can create a file with the following content:
(allow init_t swapfile_t (file (getattr open read ioctl lock)))
insert as a custom policy module:
semodule -i local_init_swapfile.cil
and then remove it once the policy is updated.
> Please help.
>
> Thanks.
> Regards,
> Sreyan Chakravarty
> _______________________________________________
> users mailing list -- users@lists.fedoraproject.org
> To unsubscribe send an email to users-le...@lists.fedoraproject.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
>
--
Zdenek Pytela
Security controls team, sst_platform_security
_______________________________________________
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
