search

fedora-selinux / selinux-policy

selinux-policy for Fedora is a large patch off the mainline
GNU General Public License v2.0
156 stars 157 forks source link

Missing permissions to `swapfile_t` for `systemd_login_t` and `systemd_sleep_t` #2108

Open mtalexan opened 2 months ago

mtalexan commented 2 months ago

Per a write up on the Fedora Forum, when setting up a swapfile the file usually needs to be in a dedicated directory so it can be managed separately by the file system (e.g. a separate BTRFS subvolume). That directory seems to need to be labeled with the standard swapfile_t label, which of course is a unique-per-system configuration.

However, once labeled, sleeping is blocked by an AVC denial because the systemd_login_t process needs to be able to do a search on the swap_file_t domain to find the swapfile itself in the dedicated and labeled swapfile folder.

Even after this permission is granted, hibernation/suspend-to-disk runs into the same problem from systemd_sleep_t.

Unless I'm mistaken, it seems like the following should be part of this base policy:

#============= systemd_logind_t ==============
allow systemd_logind_t swapfile_t:dir search;

#============= systemd_sleep_t ==============
allow systemd_sleep_t swapfile_t:dir search;

The only other thing I can think of is if the directory containing the swapfile is expected to be labeled some other way, while the swapfile itself is the only thing labled as swapfile_t? But if so, what's the expected label on the dedicated directory?

mtalexan commented 2 months ago

Link to the mention of the second missing permission: https://discussion.fedoraproject.org/t/setup-hibernation-on-silverblue-kionite/78834/20