Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-51109

[Azure][RHEL-10]SELinux is preventing /usr/lib/systemd/systemd-sleep which blocks "systemctl hibernate"

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Duplicate
    • Icon: Normal Normal
    • None
    • rhel-10.0.beta
    • selinux-policy
    • None
    • No
    • None
    • sst_security_selinux
    • ssg_security
    • None
    • False
    • Hide

      None

      Show
      None
    • None
    • Red Hat Enterprise Linux
    • None
    • None
    • None
    • None

      What were you trying to do that didn't work?

      In RHEL-10, when setup a VM for hibernation and run "systemctl hibernate", it doesn't work, and can see selinux message in /var/log/message:

      Jul 29 04:49:12 wala10test107290748-vm2 setroubleshoot[4979]: SELinux is preventing /usr/lib/systemd/systemd-sleep from read access on the blk_file sdb1. For complete SELinux messages run: sealert -l a6239c08-eb7f-4bb6-aedf-32bb24437473
Jul 29 04:49:12 wala10test107290748-vm2 setroubleshoot[4979]: SELinux is preventing /usr/lib/systemd/systemd-sleep from read access on the blk_file sdb1.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that systemd-sleep should be allowed read access on the sdb1 blk_file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'systemd-sleep' --raw | audit2allow -M my-systemdsleep#012# semodule -X 300 -i my-systemdsleep.pp#012
      • If set selinux to permissive mode, can run "systemctl hibernate" successfully.
      • Run "echo disk > /sys/power/state" can hibernate the VM successfully.
      • No such issue in RHEL-9.5
         
        Please provide the package NVR for which bug is seen:
        kernel-6.10.0-15.el10.x86_64
        libselinux-3.7-2.el10.x86_64
        libselinux-utils-3.7-2.el10.x86_64
        python3-libselinux-3.7-2.el10.x86_64
        selinux-policy-40.13.5-1.el10.noarch
        selinux-policy-targeted-40.13.5-1.el10.noarch
        rpm-plugin-selinux-4.19.1.1-2.el10.x86_64

        How reproducible:

        Always

        Steps to reproduce

      1. Setup the Azure VM for hibernation(steps in https://polarion.engineering.redhat.com/polarion/#/project/RHELVIRT/workitem?id=RHEL-241708)
      2. In serial console, run "systemctl hibernate"
      3. Check /var/log/messages

      Expected results

      "systemctl hibernate" can hibernate the VM

      Actual results

      There's no response for the "systemctl hibernate" command.
      Can see the following messages in the ssh session, but actually the VM is not hibernated.

      Broadcast message from root@wala10test107290748-vm2 on ttyS0 (Mon 2024-07-29 04:48:59 EDT):

The system will hibernate now!

       

      [root@wala10test107290748-vm2 ~]# ausearch -m AVC -ts today
----
time->Mon Jul 29 04:48:59 2024
type=PROCTITLE msg=audit(1722242939.202:119): proctitle=2F7573722F6C69622F73797374656D642F73797374656D642D736C6565700068696265726E617465
type=SYSCALL msg=audit(1722242939.202:119): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=556e406199c0 a2=80900 a3=0 items=0 ppid=1 pid=4977 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-sleep" exe="/usr/lib/systemd/systemd-sleep" subj=system_u:system_r:systemd_sleep_t:s0 key=(null)
type=AVC msg=audit(1722242939.202:119): avc:  denied  { read } for  pid=4977 comm="systemd-sleep" name="sdb1" dev="devtmpfs" ino=247 scontext=system_u:system_r:systemd_sleep_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=0

            rhn-support-zpytela Zdenek Pytela
            yuxisun@redhat.com Yuxin Sun
            Zdenek Pytela Zdenek Pytela
            Milos Malik Milos Malik
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved: