Per a write up on the Fedora Forum, when setting up a swapfile the file usually needs to be in a dedicated directory so it can be managed separately by the file system (e.g. a separate BTRFS subvolume). That directory seems to need to be labeled with the standard swapfile_t label, which of course is a unique-per-system configuration.
However, once labeled, sleeping is blocked by an AVC denial because the systemd_login_t process needs to be able to do a search on the swap_file_t domain to find the swapfile itself in the dedicated and labeled swapfile folder.
Even after this permission is granted, hibernation/suspend-to-disk runs into the same problem from systemd_sleep_t.
Unless I'm mistaken, it seems like the following should be part of this base policy:
The only other thing I can think of is if the directory containing the swapfile is expected to be labeled some other way, while the swapfile itself is the only thing labled as swapfile_t? But if so, what's the expected label on the dedicated directory?
Per a write up on the Fedora Forum, when setting up a swapfile the file usually needs to be in a dedicated directory so it can be managed separately by the file system (e.g. a separate BTRFS subvolume). That directory seems to need to be labeled with the standard
swapfile_t
label, which of course is a unique-per-system configuration.However, once labeled, sleeping is blocked by an AVC denial because the
systemd_login_t
process needs to be able to do asearch
on theswap_file_t
domain to find the swapfile itself in the dedicated and labeled swapfile folder.Even after this permission is granted, hibernation/suspend-to-disk runs into the same problem from
systemd_sleep_t
.Unless I'm mistaken, it seems like the following should be part of this base policy:
The only other thing I can think of is if the directory containing the swapfile is expected to be labeled some other way, while the swapfile itself is the only thing labled as
swapfile_t
? But if so, what's the expected label on the dedicated directory?