I have just configured a 8GB swap file on my Fedora 31 laptop. But it seems that SELinux is blocking access to the swap file.
SELinux is preventing systemd-sleep from read access on the file fedora.swap.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that systemd-sleep should be allowed read access on the fedora.swap file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'systemd-sleep' --raw | audit2allow -M my-systemdsleep # semodule -X 300 -i my-systemdsleep.pp
Additional Information: Source Context system_u:system_r:init_t:s0 Target Context unconfined_u:object_r:swapfile_t:s0 Target Objects fedora.swap [ file ] Source systemd-sleep Source Path systemd-sleep Port <Unknown> Host localhost.HPNotebook Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-3.14.4-50.fc31.noarch Local Policy RPM selinux-policy-targeted-3.14.4-50.fc31.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name localhost.HPNotebook Platform Linux localhost.HPNotebook 5.5.15-200.fc31.x86_64 #1 SMP Thu Apr 2 19:16:17 UTC 2020 x86_64 x86_64 Alert Count 1 First Seen 2020-04-13 21:12:22 IST Last Seen 2020-04-13 21:12:22 IST Local ID 39955636-b570-49ae-9286-ae92b49dc1c7
Raw Audit Messages type=AVC msg=audit(1586792542.56:418): avc: denied { read } for pid=5603 comm="systemd-sleep" name="fedora.swap" dev="dm-1" ino=13 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:swapfile_t:s0 tclass=file permissive=0
Hash: systemd-sleep,init_t,swapfile_t,file,read
Look like is an existing bug: https://bugzilla.redhat.com/show_bug.cgi?id=1797543
In SELinux are there any ways of adding domains ?
On Mon, Apr 13, 2020 at 10:21 PM Sreyan Chakravarty sreyan32@gmail.com wrote:
I have just configured a 8GB swap file on my Fedora 31 laptop. But it seems that SELinux is blocking access to the swap file.
SELinux is preventing systemd-sleep from read access on the file fedora.swap.
***** Plugin catchall (100. confidence) suggests
If you believe that systemd-sleep should be allowed read access on the fedora.swap file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'systemd-sleep' --raw | audit2allow -M my-systemdsleep # semodule -X 300 -i my-systemdsleep.pp
Additional Information: Source Context system_u:system_r:init_t:s0 Target Context unconfined_u:object_r:swapfile_t:s0 Target Objects fedora.swap [ file ] Source systemd-sleep Source Path systemd-sleep Port <Unknown> Host localhost.HPNotebook Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-3.14.4-50.fc31.noarch Local Policy RPM selinux-policy-targeted-3.14.4-50.fc31.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name localhost.HPNotebook Platform Linux localhost.HPNotebook 5.5.15-200.fc31.x86_64 #1 SMP Thu Apr 2 19:16:17 UTC 2020 x86_64 x86_64 Alert Count 1 First Seen 2020-04-13 21:12:22 IST Last Seen 2020-04-13 21:12:22 IST Local ID 39955636-b570-49ae-9286-ae92b49dc1c7
Raw Audit Messages type=AVC msg=audit(1586792542.56:418): avc: denied { read } for pid=5603 comm="systemd-sleep" name="fedora.swap" dev="dm-1" ino=13 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:swapfile_t:s0 tclass=file permissive=0
Hash: systemd-sleep,init_t,swapfile_t,file,read
--
The above is the message I got from the SELinux trouble shooter.
This is the screenshot of the problem: https://imgur.com/a/1x55clI
What can I do ?
I don't know a whole lot about SELinux, do I have to add a label or something?
Please help.
Thanks. Regards, Sreyan Chakravarty
On 13.04.20 19:00, Sreyan Chakravarty wrote: ....
You can generate a local policy module to allow this access. Do allow this access for now by executing:
# ausearch -c 'systemd-sleep' --raw | audit2allow -M my-systemdsleep # semodule -X 300 -i my-systemdsleep.pp
...
and what happens if you perform the above two commands (everyone with "sudo" prefixed)
sudo ausearch -c 'systemd-sleep' --raw | audit2allow -M my-systemdsleep
sudo semodule -X 300 -i my-systemdsleep.pp
and test hibernate
13.04.20, 19:28 CEST sixpack13:
and what happens if you perform the above two commands (everyone with "sudo" prefixed)
sudo ausearch -c 'systemd-sleep' --raw | audit2allow -M my-systemdsleep
That way, ausearch will run with elevated privileges but audit2allow will not. That's probably not what you intended.
(sorry for the PM, sixpack13. Thick fingers... :-()
On Mon, Apr 13, 2020 at 6:56 PM Sreyan Chakravarty sreyan32@gmail.com wrote:
I have just configured a 8GB swap file on my Fedora 31 laptop. But it seems that SELinux is blocking access to the swap file.
SELinux is preventing systemd-sleep from read access on the file fedora.swap.
***** Plugin catchall (100. confidence) suggests
If you believe that systemd-sleep should be allowed read access on the fedora.swap file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'systemd-sleep' --raw | audit2allow -M my-systemdsleep # semodule -X 300 -i my-systemdsleep.pp
Additional Information: Source Context system_u:system_r:init_t:s0 Target Context unconfined_u:object_r:swapfile_t:s0 Target Objects fedora.swap [ file ] Source systemd-sleep Source Path systemd-sleep Port <Unknown> Host localhost.HPNotebook Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-3.14.4-50.fc31.noarch Local Policy RPM selinux-policy-targeted-3.14.4-50.fc31.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name localhost.HPNotebook Platform Linux localhost.HPNotebook 5.5.15-200.fc31.x86_64 #1 SMP Thu Apr 2 19:16:17 UTC 2020 x86_64 x86_64 Alert Count 1 First Seen 2020-04-13 21:12:22 IST Last Seen 2020-04-13 21:12:22 IST Local ID 39955636-b570-49ae-9286-ae92b49dc1c7
Raw Audit Messages type=AVC msg=audit(1586792542.56:418): avc: denied { read } for pid=5603 comm="systemd-sleep" name="fedora.swap" dev="dm-1" ino=13 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:swapfile_t:s0 tclass=file permissive=0
Hash: systemd-sleep,init_t,swapfile_t,file,read
--
The above is the message I got from the SELinux trouble shooter.
This is the screenshot of the problem: https://imgur.com/a/1x55clI
What can I do ?
I don't know a whole lot about SELinux, do I have to add a label or something?
Hi,
There has already been reported a bugzilla:
https://bugzilla.redhat.com/show_bug.cgi?id=1797543
A new domain is needed to confine systemd-sleep. As a temporary workaround, you can create a file with the following content:
(allow init_t swapfile_t (file (getattr open read ioctl lock)))
insert as a custom policy module:
semodule -i local_init_swapfile.cil
and then remove it once the policy is updated.
Please help.
Thanks. Regards, Sreyan Chakravarty _______________________________________________ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Can you please explain what they are doing, I don't know anything about SELinux.
Also how do I reverse the commands once the bug is fixed in upstream ?
On Mon, Apr 13, 2020 at 11:39 PM Joe Zeff joe@zeff.us wrote:
On 04/13/2020 11:57 AM, Zdenek Pytela wrote:
I don't know a whole lot about SELinux, do I have to add a label or something?
The message from the troubleshooter suggests that you run two commands to get around the issue until it's fixed. Just follow them and you'll be OK. _______________________________________________ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Edit:
The message from the troubleshooter suggests that you run two commands to get around the issue until it's fixed. Just follow them and you'll be OK.
Can you please explain what they are doing, I don't know anything about SELinux.
Also how do I reverse the commands once the bug is fixed in upstream ?
On Mon, Apr 13, 2020 at 11:50 PM Sreyan Chakravarty sreyan32@gmail.com wrote:
Can you please explain what they are doing, I don't know anything about SELinux.
Also how do I reverse the commands once the bug is fixed in upstream ?
On Mon, Apr 13, 2020 at 11:39 PM Joe Zeff joe@zeff.us wrote:
On 04/13/2020 11:57 AM, Zdenek Pytela wrote:
I don't know a whole lot about SELinux, do I have to add a label or something?
The message from the troubleshooter suggests that you run two commands to get around the issue until it's fixed. Just follow them and you'll be OK. _______________________________________________ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
-- Regards, Sreyan Chakravarty
On Mon, Apr 13, 2020 at 8:23 PM Sreyan Chakravarty sreyan32@gmail.com wrote:
Edit:
The message from the troubleshooter suggests that you run two commands to get around the issue until it's fixed. Just follow them and you'll be OK.
Can you please explain what they are doing, I don't know anything about
SELinux.
SELinux only knows about labels, type is the main part. The init_t is a type of a process. It requested an access to a resource which was denied by kernel, according to SELinux rules. In the report, we can see a request to read a file with type swapfile_t.type
If you create a file with the suggested content and insert it as a custom SELinux module, it will allow a group of common permissions required to open and read a file. This change persists boot.
Also how do I reverse the commands once the bug is fixed in upstream ?
Remove the module:
semodule -r local_init_swapfile
Any time, you can list modules, and possibly narrow the list:
semodule -lfull | grep local_ 400 local_init_swapfile cil
On Mon, Apr 13, 2020 at 11:50 PM Sreyan Chakravarty sreyan32@gmail.com wrote:
Can you please explain what they are doing, I don't know anything about SELinux.
Also how do I reverse the commands once the bug is fixed in upstream ?
On Mon, Apr 13, 2020 at 11:39 PM Joe Zeff joe@zeff.us wrote:
On 04/13/2020 11:57 AM, Zdenek Pytela wrote:
I don't know a whole lot about SELinux, do I have to add a label or something?
The message from the troubleshooter suggests that you run two commands to get around the issue until it's fixed. Just follow them and you'll be OK. _______________________________________________ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
-- Regards, Sreyan Chakravarty
-- Regards, Sreyan Chakravarty _______________________________________________ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
On 04/13/2020 12:20 PM, Sreyan Chakravarty wrote:
Can you please explain what they are doing, I don't know anything about SELinux.
Good question. The first command creates an exception for SELinux that allows your system to work until the bug is fixed and the second one installs it. I'm no expert, and I'm sure that somebody will jump in and correct me if needed.
Also how do I reverse the commands once the bug is fixed in upstream ?
Another good question. You won't need to. It will just sit there, ignored, until an update comes along that removes it.
I saw a pull request in the comments of the bug, did that solve the problem?
On Mon, Apr 13, 2020 at 11:29 PM Zdenek Pytela zpytela@redhat.com wrote:
On Mon, Apr 13, 2020 at 6:56 PM Sreyan Chakravarty sreyan32@gmail.com wrote:
I have just configured a 8GB swap file on my Fedora 31 laptop. But it seems that SELinux is blocking access to the swap file.
SELinux is preventing systemd-sleep from read access on the file fedora.swap.
***** Plugin catchall (100. confidence) suggests
If you believe that systemd-sleep should be allowed read access on the fedora.swap file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'systemd-sleep' --raw | audit2allow -M my-systemdsleep # semodule -X 300 -i my-systemdsleep.pp
Additional Information: Source Context system_u:system_r:init_t:s0 Target Context unconfined_u:object_r:swapfile_t:s0 Target Objects fedora.swap [ file ] Source systemd-sleep Source Path systemd-sleep Port <Unknown> Host localhost.HPNotebook Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-3.14.4-50.fc31.noarch Local Policy RPM selinux-policy-targeted-3.14.4-50.fc31.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name localhost.HPNotebook Platform Linux localhost.HPNotebook 5.5.15-200.fc31.x86_64 #1 SMP Thu Apr 2 19:16:17 UTC 2020 x86_64 x86_64 Alert Count 1 First Seen 2020-04-13 21:12:22 IST Last Seen 2020-04-13 21:12:22 IST Local ID 39955636-b570-49ae-9286-ae92b49dc1c7
Raw Audit Messages type=AVC msg=audit(1586792542.56:418): avc: denied { read } for pid=5603 comm="systemd-sleep" name="fedora.swap" dev="dm-1" ino=13 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:swapfile_t:s0 tclass=file permissive=0
Hash: systemd-sleep,init_t,swapfile_t,file,read
--
The above is the message I got from the SELinux trouble shooter.
This is the screenshot of the problem: https://imgur.com/a/1x55clI
What can I do ?
I don't know a whole lot about SELinux, do I have to add a label or something?
Hi,
There has already been reported a bugzilla:
https://bugzilla.redhat.com/show_bug.cgi?id=1797543
A new domain is needed to confine systemd-sleep. As a temporary workaround, you can create a file with the following content:
(allow init_t swapfile_t (file (getattr open read ioctl lock)))
insert as a custom policy module:
semodule -i local_init_swapfile.cil
and then remove it once the policy is updated.
Please help.
Thanks. Regards, Sreyan Chakravarty _______________________________________________ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
--
Zdenek Pytela Security controls team, sst_platform_security _______________________________________________ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Could you please explain what: (allow init_t swapfile_t (file (getattr open read ioctl lock)))
is doing ?
Am I suppose to paste the above as is in the file ? is swapfile_t the name of my swap file or is it a SELinux attribute ?
On Mon, Apr 13, 2020 at 11:29 PM Zdenek Pytela zpytela@redhat.com wrote:
On Mon, Apr 13, 2020 at 6:56 PM Sreyan Chakravarty sreyan32@gmail.com wrote:
I have just configured a 8GB swap file on my Fedora 31 laptop. But it seems that SELinux is blocking access to the swap file.
SELinux is preventing systemd-sleep from read access on the file fedora.swap.
***** Plugin catchall (100. confidence) suggests
If you believe that systemd-sleep should be allowed read access on the fedora.swap file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'systemd-sleep' --raw | audit2allow -M my-systemdsleep # semodule -X 300 -i my-systemdsleep.pp
Additional Information: Source Context system_u:system_r:init_t:s0 Target Context unconfined_u:object_r:swapfile_t:s0 Target Objects fedora.swap [ file ] Source systemd-sleep Source Path systemd-sleep Port <Unknown> Host localhost.HPNotebook Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-3.14.4-50.fc31.noarch Local Policy RPM selinux-policy-targeted-3.14.4-50.fc31.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name localhost.HPNotebook Platform Linux localhost.HPNotebook 5.5.15-200.fc31.x86_64 #1 SMP Thu Apr 2 19:16:17 UTC 2020 x86_64 x86_64 Alert Count 1 First Seen 2020-04-13 21:12:22 IST Last Seen 2020-04-13 21:12:22 IST Local ID 39955636-b570-49ae-9286-ae92b49dc1c7
Raw Audit Messages type=AVC msg=audit(1586792542.56:418): avc: denied { read } for pid=5603 comm="systemd-sleep" name="fedora.swap" dev="dm-1" ino=13 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:swapfile_t:s0 tclass=file permissive=0
Hash: systemd-sleep,init_t,swapfile_t,file,read
--
The above is the message I got from the SELinux trouble shooter.
This is the screenshot of the problem: https://imgur.com/a/1x55clI
What can I do ?
I don't know a whole lot about SELinux, do I have to add a label or something?
Hi,
There has already been reported a bugzilla:
https://bugzilla.redhat.com/show_bug.cgi?id=1797543
A new domain is needed to confine systemd-sleep. As a temporary workaround, you can create a file with the following content:
(allow init_t swapfile_t (file (getattr open read ioctl lock)))
insert as a custom policy module:
semodule -i local_init_swapfile.cil
and then remove it once the policy is updated.
Please help.
Thanks. Regards, Sreyan Chakravarty _______________________________________________ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
--
Zdenek Pytela Security controls team, sst_platform_security _______________________________________________ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
On Mon, Apr 13, 2020 at 6:56 PM Sreyan Chakravarty <sreyan32(a)gmail.com> wrote:
Hi,
There has already been reported a bugzilla:
https://bugzilla.redhat.com/show_bug.cgi?id=1797543
A new domain is needed to confine systemd-sleep. As a temporary workaround, you can create a file with the following content:
(allow init_t swapfile_t (file (getattr open read ioctl lock)))
insert as a custom policy module:
semodule -i local_init_swapfile.cil
and then remove it once the policy is updated.
Can you please tell me what is the difference between your method and running: ausearch -c 'systemd-sleep' --raw | audit2allow -M my-systemdsleep semodule -X 300 -i my-systemdsleep.pp
This seems to be more permissive compared to your workaround. Would I be correct ?
On Thu, Apr 16, 2020 at 12:33 PM Sreyan Chakravarty sreyan32@gmail.com wrote:
On Mon, Apr 13, 2020 at 6:56 PM Sreyan Chakravarty <sreyan32(a)gmail.com
>
wrote:
Hi,
There has already been reported a bugzilla:
https://bugzilla.redhat.com/show_bug.cgi?id=1797543
A new domain is needed to confine systemd-sleep. As a temporary
workaround,
you can create a file with the following content:
(allow init_t swapfile_t (file (getattr open read ioctl lock)))
insert as a custom policy module:
semodule -i local_init_swapfile.cil
and then remove it once the policy is updated.
Can you please tell me what is the difference between your method and running: ausearch -c 'systemd-sleep' --raw | audit2allow -M my-systemdsleep semodule -X 300 -i my-systemdsleep.pp
This seems to be more permissive compared to your workaround. Would I be correct ?
It should be roughly the same; you may have hit only one or two of the permissions requested and get to additional ones later, so in this sense you are right as I added a common permissions set in advance.
The biggest difference I see though is that with enumerating the permissions you have full control over what is to be put into the custom policy module, while running audit2allow directly with the -M switch is kind of a blackbox where you can't see it. It can be done in 2 steps, use -m, check the type-enforcement file, possibly add or delete some of the permissions, and then insert the module. It does not matter if te or cil language and file format is used.
_______________________________________________
users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
On 4/13/20 9:51 AM, Sreyan Chakravarty wrote:
I have just configured a 8GB swap file on my Fedora 31 laptop. But it seems that SELinux is blocking access to the swap file.
Can you hibernate to a swap *file*? I thought it had to be a partition. How would you set up the resume line for that?
On Thu, 2020-04-16 at 17:12 -0700, Samuel Sieb wrote:
On 4/13/20 9:51 AM, Sreyan Chakravarty wrote:
I have just configured a 8GB swap file on my Fedora 31 laptop. But it seems that SELinux is blocking access to the swap file.
Can you hibernate to a swap *file*? I thought it had to be a partition. How would you set up the resume line for that?
It has to be a partition. A file can be on any kind of filesystem, so how would the resume function know what to do?
From systemd-hibernate-resume(8):
systemd-hibernate-resume@.service initiates the resume from hibernation. It is instantiated with the device to resume from as the template argument.
systemd-hibernate-resume only supports the in-kernel hibernation implementation, known as swsusp[1]. Internally, it works by writing the major:minor of specified device node to /sys/power/resume.
poc
On 4/17/20 1:07 AM, Patrick O'Callaghan wrote:
On Thu, 2020-04-16 at 17:12 -0700, Samuel Sieb wrote:
On 4/13/20 9:51 AM, Sreyan Chakravarty wrote:
I have just configured a 8GB swap file on my Fedora 31 laptop. But it seems that SELinux is blocking access to the swap file.
Can you hibernate to a swap *file*? I thought it had to be a partition. How would you set up the resume line for that?
It has to be a partition. A file can be on any kind of filesystem, so how would the resume function know what to do?
From systemd-hibernate-resume(8):
systemd-hibernate-resume@.service initiates the resume from hibernation. It is instantiated with the device to resume from as the template argument.
systemd-hibernate-resume only supports the in-kernel hibernation implementation, known as swsusp[1]. Internally, it works by writing the major:minor of specified device node to /sys/power/resume.
That's why I'm confused about the original question. He made a swap file for hibernating and it's not working because of an selinux issue. But even if that is resolved, it's still not going to work.
On Fri, 2020-04-17 at 01:10 -0700, Samuel Sieb wrote:
On 4/17/20 1:07 AM, Patrick O'Callaghan wrote:
On Thu, 2020-04-16 at 17:12 -0700, Samuel Sieb wrote:
On 4/13/20 9:51 AM, Sreyan Chakravarty wrote:
I have just configured a 8GB swap file on my Fedora 31 laptop. But it seems that SELinux is blocking access to the swap file.
Can you hibernate to a swap *file*? I thought it had to be a partition. How would you set up the resume line for that?
It has to be a partition. A file can be on any kind of filesystem, so how would the resume function know what to do?
From systemd-hibernate-resume(8):
systemd-hibernate-resume@.service initiates the resume from hibernation. It is instantiated with the device to resume from as the template argument.
systemd-hibernate-resume only supports the in-kernel hibernation implementation, known as swsusp[1]. Internally, it works by writing the major:minor of specified device node to /sys/power/resume.
That's why I'm confused about the original question. He made a swap file for hibernating and it's not working because of an selinux issue. But even if that is resolved, it's still not going to work.
Exactly.
poc
On Thu, 2020-04-16 at 17:12 -0700, Samuel Sieb wrote:
It has to be a partition. A file can be on any kind of filesystem, so how would the resume function know what to do?
From systemd-hibernate-resume(8):
systemd-hibernate-resume@.service initiates the resume from hibernation. It is instantiated with the device to resume from as the template argument.
systemd-hibernate-resume only supports the in-kernel hibernation implementation, known as swsusp[1]. Internally, it works by writing the major:minor of specified device node to /sys/power/resume.
poc
If you see the documentation about swsusp here: https://www.kernel.org/doc/Documentation/power/swsusp.txt
It clearly states you can use a swap file.
Now I am confused as to why you say a swap file won't work.
Where am I going wrong ?
On Fri, 17 Apr 2020 at 12:37, Sreyan Chakravarty sreyan32@gmail.com wrote:
On Thu, 2020-04-16 at 17:12 -0700, Samuel Sieb wrote:
It has to be a partition. A file can be on any kind of filesystem, so how would the resume function know what to do?
From systemd-hibernate-resume(8):
systemd-hibernate-resume@.service initiates the resume from
hibernation. It is
instantiated with the device to resume from as the template argument.
systemd-hibernate-resume only supports the in-kernel hibernation
implementation, known as
swsusp[1]. Internally, it works by writing the major:minor of specified
device node to
/sys/power/resume.
poc
If you see the documentation about swsusp here: https://www.kernel.org/doc/Documentation/power/swsusp.txt
It clearly states you can use a swap file.
Now I am confused as to why you say a swap file won't work.
Where am I going wrong ?
Have you looked at "man 5 systemd-sleep.conf". It describes 4 modes.
Hibernate saves enough state so the system can be restored after power is "lost". This requires stopping the filesystems, so you have to save the state outside the regular filesystems.
On Fri, 2020-04-17 at 15:37 +0000, Sreyan Chakravarty wrote:
On Thu, 2020-04-16 at 17:12 -0700, Samuel Sieb wrote:
It has to be a partition. A file can be on any kind of filesystem, so how would the resume function know what to do?
From systemd-hibernate-resume(8):
systemd-hibernate-resume@.service initiates the resume from hibernation. It is instantiated with the device to resume from as the template argument.
systemd-hibernate-resume only supports the in-kernel hibernation implementation, known as swsusp[1]. Internally, it works by writing the major:minor of specified device node to /sys/power/resume.
poc
If you see the documentation about swsusp here: https://www.kernel.org/doc/Documentation/power/swsusp.txt
It clearly states you can use a swap file.
Now I am confused as to why you say a swap file won't work.
Because the man page I already quoted explicitly says it's to be used with a device. Whether there is some other magical hibernation method different from that, I really don't know.
poc
On Fri, 2020-04-17 at 15:37 +0000, Sreyan Chakravarty wrote:
On Thu, 2020-04-16 at 17:12 -0700, Samuel Sieb wrote:
It has to be a partition. A file can be on any kind of filesystem, so how would the resume function know what to do?
From systemd-hibernate-resume(8):
systemd-hibernate-resume@.service initiates the resume from hibernation. It is instantiated with the device to resume from as the template argument.
systemd-hibernate-resume only supports the in-kernel hibernation implementation, known as swsusp[1]. Internally, it works by writing the major:minor of specified device node to /sys/power/resume.
poc
If you see the documentation about swsusp here: https://www.kernel.org/doc/Documentation/power/swsusp.txt
It clearly states you can use a swap file.
Now I am confused as to why you say a swap file won't work.
From bootparam(8):
'resume=...' This tells the kernel the location of the suspend-to-disk data that you want the machine to resume from after hibernation. Usually, it is the same as your swap partition or file. Example:
resume=/dev/hda2
There is no corresponding entry for resume_offset. I don't know if that's because Fedora doesn't support it.
poc
On 4/17/20 9:13 AM, Patrick O'Callaghan wrote:
On Fri, 2020-04-17 at 15:37 +0000, Sreyan Chakravarty wrote:
On Thu, 2020-04-16 at 17:12 -0700, Samuel Sieb wrote:
It has to be a partition. A file can be on any kind of filesystem, so how would the resume function know what to do?
From systemd-hibernate-resume(8):
systemd-hibernate-resume@.service initiates the resume from hibernation. It is instantiated with the device to resume from as the template argument.
systemd-hibernate-resume only supports the in-kernel hibernation implementation, known as swsusp[1]. Internally, it works by writing the major:minor of specified device node to /sys/power/resume.
If you see the documentation about swsusp here: https://www.kernel.org/doc/Documentation/power/swsusp.txt
It clearly states you can use a swap file.
Now I am confused as to why you say a swap file won't work.
From bootparam(8):
'resume=...' This tells the kernel the location of the suspend-to-disk data that you want the machine to resume from after hibernation.Usually, it is the same as your swap partition or file. Example:
resume=/dev/hda2There is no corresponding entry for resume_offset. I don't know if that's because Fedora doesn't support it.
From the header of that man page, it's an "introduction to boot time parameters", not an exhaustive summary. As far as I can tell, it is valid to use a swap file for hibernation. That parameter is in the kernel. You just need to get the right offset to the file.
I've learned something new which might actually be useful at some point.
On Fri, 2020-04-17 at 13:21 -0700, Samuel Sieb wrote:
On 4/17/20 9:13 AM, Patrick O'Callaghan wrote:
On Fri, 2020-04-17 at 15:37 +0000, Sreyan Chakravarty wrote:
On Thu, 2020-04-16 at 17:12 -0700, Samuel Sieb wrote:
It has to be a partition. A file can be on any kind of filesystem, so how would the resume function know what to do?
From systemd-hibernate-resume(8):
systemd-hibernate-resume@.service initiates the resume from hibernation. It is instantiated with the device to resume from as the template argument.
systemd-hibernate-resume only supports the in-kernel hibernation implementation, known as swsusp[1]. Internally, it works by writing the major:minor of specified device node to /sys/power/resume.
If you see the documentation about swsusp here: https://www.kernel.org/doc/Documentation/power/swsusp.txt
It clearly states you can use a swap file.
Now I am confused as to why you say a swap file won't work.
From bootparam(8):
'resume=...' This tells the kernel the location of the suspend-to-disk data that you want the machine to resume from after hibernation.Usually, it is the same as your swap partition or file. Example:
resume=/dev/hda2There is no corresponding entry for resume_offset. I don't know if that's because Fedora doesn't support it.
From the header of that man page, it's an "introduction to boot time parameters", not an exhaustive summary. As far as I can tell, it is valid to use a swap file for hibernation. That parameter is in the kernel. You just need to get the right offset to the file.
I've learned something new which might actually be useful at some point.
If that's the case then the man page for systemd-hibernate-resume is wrong.
poc
On 4/17/20 2:36 PM, Patrick O'Callaghan wrote:
On Fri, 2020-04-17 at 13:21 -0700, Samuel Sieb wrote:
From the header of that man page, it's an "introduction to boot time parameters", not an exhaustive summary. As far as I can tell, it is valid to use a swap file for hibernation. That parameter is in the kernel. You just need to get the right offset to the file.
I've learned something new which might actually be useful at some point.
If that's the case then the man page for systemd-hibernate-resume is wrong.
I don't see anything in that man page about swap files.
On Fri, 2020-04-17 at 15:57 -0700, Samuel Sieb wrote:
On 4/17/20 2:36 PM, Patrick O'Callaghan wrote:
On Fri, 2020-04-17 at 13:21 -0700, Samuel Sieb wrote:
From the header of that man page, it's an "introduction to boot time parameters", not an exhaustive summary. As far as I can tell, it is valid to use a swap file for hibernation. That parameter is in the kernel. You just need to get the right offset to the file.
I've learned something new which might actually be useful at some point.
If that's the case then the man page for systemd-hibernate-resume is wrong.
I don't see anything in that man page about swap files.
Exactly. It only talks about devices, not about offsets.
poc
On 4/18/20 1:51 AM, Patrick O'Callaghan wrote:
On Fri, 2020-04-17 at 15:57 -0700, Samuel Sieb wrote:
On 4/17/20 2:36 PM, Patrick O'Callaghan wrote:
On Fri, 2020-04-17 at 13:21 -0700, Samuel Sieb wrote:
From the header of that man page, it's an "introduction to boot time parameters", not an exhaustive summary. As far as I can tell, it is valid to use a swap file for hibernation. That parameter is in the kernel. You just need to get the right offset to the file.
I've learned something new which might actually be useful at some point.
If that's the case then the man page for systemd-hibernate-resume is wrong.
I don't see anything in that man page about swap files.
Exactly. It only talks about devices, not about offsets.
The resume script doesn't have anything to do with the offset. It just writes the device number, the kernel gets the offset from the boot command line.
https://wiki.archlinux.org/index.php/Power_management/Suspend_and_hibernate#...
The Arch Wiki clearly describes that you can Hibernate into a swap file by giving the resume_offset.
Is there any reason that using a Swap file is illegal for Hibernation ?
On Fri, Apr 17, 2020 at 5:43 AM Samuel Sieb samuel@sieb.net wrote:
On 4/13/20 9:51 AM, Sreyan Chakravarty wrote:
I have just configured a 8GB swap file on my Fedora 31 laptop. But it seems that SELinux is blocking access to the swap file.
Can you hibernate to a swap *file*? I thought it had to be a partition. How would you set up the resume line for that? _______________________________________________ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
I am really confused as to why you can't use a Hibernate file.
On Fri, Apr 17, 2020 at 5:43 AM Samuel Sieb samuel@sieb.net wrote:
On 4/13/20 9:51 AM, Sreyan Chakravarty wrote:
I have just configured a 8GB swap file on my Fedora 31 laptop. But it seems that SELinux is blocking access to the swap file.
Can you hibernate to a swap *file*? I thought it had to be a partition. How would you set up the resume line for that? _______________________________________________ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
On 4/13/20 9:51 AM, Sreyan Chakravarty wrote:
I have just configured a 8GB swap file on my Fedora 31 laptop. But it seems that SELinux is blocking access to the swap file.
After a lot of experimentation, I did manage to get swap file hibernation to work. The dracut module for resuming is, for some reason, not enabled by default. (At least on the minimal install that I tried. Maybe because I didn't create a swap partition at install time?) These are the steps I had to do: Run "filefrag-v /swapfile" to get the offset. Edit the grub environment to add the resume and resume_offset options to the command line. Regenerate the initramfs using "dracut -f -a resume" to get the resume script included. Set selinux to permissive. Run "systemctl hibernate".
On 4/13/20 9:51 AM, Sreyan Chakravarty wrote:
After a lot of experimentation, I did manage to get swap file hibernation to work. The dracut module for resuming is, for some reason, not enabled by default. (At least on the minimal install that I tried. Maybe because I didn't create a swap partition at install time?) These are the steps I had to do: Run "filefrag-v /swapfile" to get the offset. Edit the grub environment to add the resume and resume_offset options to the command line. Regenerate the initramfs using "dracut -f -a resume" to get the resume script included. Set selinux to permissive. Run "systemctl hibernate".
Wait hibernation with a swap file worked for you ? Wow, thats great.
I knew there might be something wrong with the dracut configuration since Manjaro is able to resume from a swap file in an encrypted LVM. But it uses initrd as its initial ramdisk, which it configures with mkinitcpio.conf. While Fedora uses dracut.
I have one question though: If the resume script is disabled in dracut then how is Fedora able to resume from a swap partition ? I mean isn't that the same as resuming from a swap file ?
It can resume from a swap partition even if its encrypted but not from a swap file ? Is the resume script specific to swap files ?
Also could you tell me where did you get the list of dracut modules from ?
On 4/13/20 9:51 AM, Sreyan Chakravarty wrote:
After a lot of experimentation, I did manage to get swap file hibernation to work. The dracut module for resuming is, for some reason, not enabled by default. (At least on the minimal install that I tried. Maybe because I didn't create a swap partition at install time?) These are the steps I had to do: Run "filefrag-v /swapfile" to get the offset. Edit the grub environment to add the resume and resume_offset options to the command line. Regenerate the initramfs using "dracut -f -a resume" to get the resume script included. Set selinux to permissive. Run "systemctl hibernate".
I can confirm that this is working, but I don't understand if the resume module is not included then how can Fedora resume from a swap partition and not a swap file?
Also the SELinux exceptions mentioned in this topic - will they work in this case ?
On 4/18/20 2:33 AM, Sreyan Chakravarty wrote:
On 4/13/20 9:51 AM, Sreyan Chakravarty wrote:
After a lot of experimentation, I did manage to get swap file hibernation to work. The dracut module for resuming is, for some reason, not enabled by default. (At least on the minimal install that I tried. Maybe because I didn't create a swap partition at install time?) These are the steps I had to do: Run "filefrag-v /swapfile" to get the offset. Edit the grub environment to add the resume and resume_offset options to the command line. Regenerate the initramfs using "dracut -f -a resume" to get the resume script included. Set selinux to permissive. Run "systemctl hibernate".
I can confirm that this is working, but I don't understand if the resume module is not included then how can Fedora resume from a swap partition and not a swap file?
That's a good question that I don't have an answer to.
Also the SELinux exceptions mentioned in this topic - will they work in this case ?
Yes, it's the same case. It's the hibernating that is blocked by selinux, not the resuming.
On 4/13/20 9:51 AM, Sreyan Chakravarty wrote:
After a lot of experimentation, I did manage to get swap file hibernation to work. The dracut module for resuming is, for some reason, not enabled by default. (At least on the minimal install that I tried. Maybe because I didn't create a swap partition at install time?) These are the steps I had to do: Run "filefrag-v /swapfile" to get the offset. Edit the grub environment to add the resume and resume_offset options to the command line. Regenerate the initramfs using "dracut -f -a resume" to get the resume script included. Run "systemctl hibernate".
Thanks so much for all your help. i got hibernation working with the instructions you gave, the key instruction being adding the resume module to dracut.
Set selinux to permissive.
I weirdly did not have to do this, worked just fine by typing systemctl hibernate.
Thanks again for all you help.
I think I will write a HOW-TO in ask-fedora regarding this.
On 4/18/20 6:20 AM, Sreyan Chakravarty wrote:
On 4/13/20 9:51 AM, Sreyan Chakravarty wrote:
After a lot of experimentation, I did manage to get swap file hibernation to work. The dracut module for resuming is, for some reason, not enabled by default. (At least on the minimal install that I tried. Maybe because I didn't create a swap partition at install time?) These are the steps I had to do: Run "filefrag-v /swapfile" to get the offset. Edit the grub environment to add the resume and resume_offset options to the command line. Regenerate the initramfs using "dracut -f -a resume" to get the resume script included. Run "systemctl hibernate".
Thanks so much for all your help. i got hibernation working with the instructions you gave, the key instruction being adding the resume module to dracut.
Set selinux to permissive.
I weirdly did not have to do this, worked just fine by typing systemctl hibernate.
That's because you already added the selinux changes to fix that.
That's because you already added the selinux changes to fix that.
I didn't though. It works automatically, the only difference between now and then is that I am using the command systemctl hibernate to trigger hibernation. Before, I had set "On Power Button Press: Hibernate" from Gnome Power Options.
On Sat, Apr 18, 2020 at 10:12 PM Samuel Sieb samuel@sieb.net wrote:
On 4/18/20 6:20 AM, Sreyan Chakravarty wrote:
On 4/13/20 9:51 AM, Sreyan Chakravarty wrote:
After a lot of experimentation, I did manage to get swap file hibernation to work. The dracut module for resuming is, for some reason, not enabled by default. (At least on the minimal install that I tried. Maybe because I didn't create a swap partition at install time?) These are the steps I had to do: Run "filefrag-v /swapfile" to get the offset. Edit the grub environment to add the resume and resume_offset options to the command line. Regenerate the initramfs using "dracut -f -a resume" to get the resume script included. Run "systemctl hibernate".
Thanks so much for all your help. i got hibernation working with the
instructions you gave, the key instruction being adding the resume module to dracut.
Set selinux to permissive.
I weirdly did not have to do this, worked just fine by typing systemctl
hibernate.
That's because you already added the selinux changes to fix that. _______________________________________________ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
On 4/18/20 12:05 PM, Sreyan Chakravarty wrote:
That's because you already added the selinux changes to fix that.
I didn't though. It works automatically, the only difference between now and then is that I am using the command systemctl hibernate to trigger hibernation. Before, I had set "On Power Button Press: Hibernate" from Gnome Power Options.
Interesting. That's the command I was using and it was blocked by selinux. Although I was testing with F32 beta, so maybe there has been an update that fixed it in F31.
Although I was testing with F32 beta, so maybe there has been an update
that fixed it in F31.
I thought Fedora 32 would contain all the fixes of Fedora 31 even if it was in beta.
On Sun, Apr 19, 2020 at 11:20 AM Samuel Sieb samuel@sieb.net wrote:
On 4/18/20 12:05 PM, Sreyan Chakravarty wrote:
That's because you already added the selinux changes to fix that.
I didn't though. It works automatically, the only difference between now and then is that I am using the command systemctl hibernate to trigger hibernation. Before, I had set "On Power Button Press: Hibernate" from Gnome Power Options.
Interesting. That's the command I was using and it was blocked by selinux. Although I was testing with F32 beta, so maybe there has been an update that fixed it in F31. _______________________________________________ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
On 4/19/20 12:57 AM, Sreyan Chakravarty wrote:
Although I was testing with F32 beta, so maybe there has been an
update that fixed it in F31.
I thought Fedora 32 would contain all the fixes of Fedora 31 even if it was in beta.
No, because there's a freeze at each stage where no updates are allowed except designated exceptions for specific issues.