search

systemd / zram-generator

Systemd unit generator for zram devices
MIT License
575 stars 48 forks source link

Cannot change compression algorithm to lz4 with enforcing SELinux #152

Closed hakimifr closed 2 years ago

hakimifr commented 2 years ago

os: Fedora 35 zram-generator version:

zram-generator.x86_64                                                                   1.1.1-3.fc35                                                          @updates
zram-generator-defaults.noarch                                                          1.1.1-3.fc35                                                          @updates

I created /etc/systemd/zram-generator.conf and added the following contents:

[zram0]
compression-algorithm = lz4

And when I run systemctl restart systemd-zram-setup@zram0.service, I get the following error:

root@fedora /h/hakimi [1]# systemctl restart systemd-zram-setup@zram0.service
Job for systemd-zram-setup@zram0.service failed because the control process exited with error code.
See "systemctl status systemd-zram-setup@zram0.service" and "journalctl -xeu systemd-zram-setup@zram0.service" for details.
root@fedora /h/hakimi [1]#

journal:

Mar 10 05:59:01 fedora systemd[1]: Starting Create swap on /dev/zram0...
Mar 10 05:59:01 fedora kernel: Can't allocate a compression stream
Mar 10 05:59:01 fedora kernel: zram: Cannot initialise lz4 compressing backend
Mar 10 05:59:01 fedora zram-generator[9110]: Error: Failed to configure disk size into /sys/block/zram0/disksize
Mar 10 05:59:01 fedora zram-generator[9110]: Caused by:
Mar 10 05:59:01 fedora zram-generator[9110]:     Cannot allocate memory (os error 12)
Mar 10 05:59:01 fedora systemd[1]: systemd-zram-setup@zram0.service: Main process exited, code=exited, status=1/FAILURE
Mar 10 05:59:01 fedora systemd[1]: systemd-zram-setup@zram0.service: Failed with result 'exit-code'.
Mar 10 05:59:01 fedora systemd[1]: Failed to start Create swap on /dev/zram0.

grepping /proc/modules reveals that the lz4 compression module isn't loaded.

root@fedora /h/hakimi# grep 'lz4' /proc/modules
root@fedora /h/hakimi [1]#

However, if I temporarily make SELinux permissive with setenforce 0, the unit restarts fine and I now has zram with lz4 compression...

root@fedora /h/hakimi# setenforce 0
root@fedora /h/hakimi# systemctl restart systemd-zram-setup@zram0.service
root@fedora /h/hakimi# zramctl
NAME       ALGORITHM DISKSIZE DATA COMPR TOTAL STREAMS MOUNTPOINT
/dev/zram0 lz4           1.8G   4K   69B    4K       2 [SWAP]
root@fedora /h/hakimi# 

# journal
Mar 10 06:05:54 fedora systemd[1]: Starting Create swap on /dev/zram0...
Mar 10 06:05:55 fedora kernel: zram0: detected capacity change from 0 to 3830784
Mar 10 06:05:55 fedora zram-generator[9524]: Setting up swapspace version 1, size = 1.8 GiB (1961357312 bytes)
Mar 10 06:05:55 fedora zram-generator[9524]: LABEL=zram0, UUID=0a8d0b64-b99f-4cf6-abf4-a9e1a8a1f722
Mar 10 06:05:55 fedora audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-zram-setup@zram0 comm="s>
Mar 10 06:05:55 fedora systemd[1]: Finished Create swap on /dev/zram0.
Mar 10 06:05:55 fedora systemd[1]: Activating swap Compressed Swap on /dev/zram0...
Mar 10 06:05:55 fedora kernel: Adding 1915388k swap on /dev/zram0.  Priority:100 extents:1 across:1915388k SSDscFS
Mar 10 06:05:55 fedora systemd[1]: Activated swap /dev/android0.
Mar 10 06:05:55 fedora systemd[1]: Activated swap Compressed Swap on /dev/zram0.

And lz4 kernel module is now loaded.

root@fedora /h/hakimi# grep 'lz4' /proc/modules
lz4 16384 2 - Live 0xffffffffc1570000
lz4_compress 36864 1 lz4, Live 0xffffffffc1566000
root@fedora /h/hakimi#

related(?) #77

keszybz commented 2 years ago

Do you have any AVCs logged for the failure?

hakimifr commented 2 years ago

I don't see any avc denial in dmesg and /var/log/audit/audit.log

hakimifr commented 2 years ago

(nor any avc message), but I've confirmed again by setting compression to the default lzo-rle and rebooting, same behaviour if I try to set lz4 as compression-algorithm again. Only works after permissive selinux.

hakimifr commented 2 years ago

So i followed this to temporarily disable dontaudit and the denial is now showing up in /var/log/audit/audit.log

type=AVC msg=audit(1646867409.273:465): avc:  denied  { module_request } for  pid=5177 comm="zram-generator" kmod="crypto-lz4" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0
type=AVC msg=audit(1646867409.273:466): avc:  denied  { module_request } for  pid=5177 comm="zram-generator" kmod="crypto-lz4-all" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0
type=AVC msg=audit(1646867409.273:467): avc:  denied  { module_request } for  pid=5177 comm="zram-generator" kmod="cryptomgr" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0
type=SERVICE_START msg=audit(1646867409.294:468): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-zram-setup@zram0 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'UID="root" AUID="unset"
keszybz commented 2 years ago

Please take this up with the provider of your selinux policy. We cannot do anything about this here.