Re: btrfs swapfile - Not enough swap space for hibernation.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Dec 11, 2020 at 8:26 PM Sreyan Chakravarty <sreyan32@xxxxxxxxx> wrote:
>
> On Fri, Dec 11, 2020 at 12:32 AM Chris Murphy <lists@xxxxxxxxxxxxxxxxx> wrote:
> >
> > If the journal doesn't have more information about why it says this,
> > and if the error is reported in the journal by systemd-logind, enable
> > debug logging for logind and reproduce and the try to figure out why
> > logind is complaining:
> >
> > https://github.com/systemd/systemd/issues/15354#issuecomment-610385478
> >
> > There is a possibility there isn't enough contiguous space in the
> > swapfile for the hibernation image. i.e. when you fallocate the
> > swapfile, it may be comprised of one or even dozens of separate
> > extents and if one of them isn't big enough for hibernation entry then
> > it'll always fail.
> >
> > As far as I'm aware there isn't a way to ask fallocate for a minimum
> > extent size. I've sometimes had to fallocate multiple files in a row
> > to get a swapfile with few fragments and then delete the rest.
> >
> > You can use filefrag -v to see the extent sizes. Those extents are
> > basically holes that swap code writes into. The swap code isn't
> > writing swap or hibernation images via Btrfs. It's just asking Btrfs
> > "what are the ranges and locations I can use" and Btrfs reports that
> > and then the swap and hibernation code use those areas directly.
> >
> >
> > > $ lsattr /var/swap/fedora.swap
> > > ---------------C---- /var/swap/fedora.swap
> >
> > > UUID=7d9dbe1b-dea6-4141-807b-026325123ad8 /var/swap
> > >    btrfs   subvol=swap,rw,nodatacow,noattime,nosuid,x-systemd.device-timeout=0
> >
> > OK you're confused. You do not need both chattr +C on the file and the
> > nodatacow option. You only need one of those. You should realize that
> > the nodatacow option applies file system wide. It's non-obvious but
> > really only the VFS mount options can apply separately to bind mounts.
> > And on Fedora, since subvolumes are mounted to specific mounts points
> > and are thus effectively bind mounts behind the scenes, it seems like
> > you can apply some mount options to specific subvolumes as if they are
> > separate file systems. But that's not what's going on, they're just
> > bind mounts. So you can do atime for one mount point, noatime for
> > another. And same for ro or rw. Those are VFS options. The Btrfs mount
> > options apply file system wide, that includes nodatacow, compress, and
> > so on.
> >
> > Further problem now that you're using nodatacow is that you have a
> > bunch of nodatacow files that have been created in the meantime. And
> > those do *not* have chattr +C so you have no easy way to find them.
> > You'd have to parse 'btrfs inspect-internal dump-tree' for the
> > nodatacow flag.
> >
> > nodatacow files are also no compression and no data checksums. So I'm
> > betting this is not what you want.
> >
>
>
> It's a SELinux error. Are there any SELinux experts here ?
>
> I ran the command:
>
> $ sudo ausearch -m AVC,USER_AVC,SELINUX_ERR -ts recent
>
> and got the error:
>
> time->Fri Dec 11 20:19:20 2020
> type=AVC msg=audit(1607698160.378:357): avc:  denied  { search } for
> pid=1362 comm="systemd-logind" name="swap" dev="dm-0" ino=256
> scontext=system_u:system_r:systemd_logind_t:s0
> tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=0
>
>
> If I run the command:
>
> $ /sbin/restorecon /var/swap/fedora.swap
>
> I get the following error:
>
> time->Fri Dec 11 19:59:56 2020
> type=AVC msg=audit(1607696996.854:323): avc:  denied  { read } for
> pid=2523 comm="systemd-sleep" name="fedora.swap" dev="dm-0" ino=257
> scontext=system_u:system_r:init_t:s0
> tcontext=unconfined_u:object_r:var_t:s0 tclass=file permissive=0
>
>
> My current SELinux label is :
>
> unconfined_u:object_r:swapfile_t:s0 /var/swap/fedora.swap
>
> When I run "/sbin/restorecon", the label changes to :
>
> unconfined_u:object_r:var_t:s0 /var/swap/fedora.swap
>
> IIRC, the correct label is etc_runtime or something like that.
>
> Can any SELinux expert help me ?
>
> --
> Regards,
> Sreyan Chakravarty


I also got the following allow rules from "sesearch --allow | grep swap"

allow devices_unconfined_type device_node:blk_file { append
audit_access create execmod execute getattr ioctl link lock map
mounton open quotaon read relabelfrom relabelto rename setattr swapon
unlink write };
allow devices_unconfined_type device_node:chr_file { append
audit_access create execute execute_no_trans getattr ioctl link lock
map mounton open quotaon read relabelfrom relabelto rename setattr
swapon unlink write };
allow devices_unconfined_type device_node:file { append audit_access
create execute execute_no_trans getattr ioctl link lock map mounton
open quotaon read relabelfrom relabelto rename setattr swapon unlink
write };
allow devices_unconfined_type device_node:lnk_file { append
audit_access create execmod execute getattr ioctl link lock map
mounton open quotaon read relabelfrom relabelto rename setattr swapon
unlink write };
allow files_unconfined_type file_type:blk_file { append audit_access
create execmod execute getattr ioctl link lock map mounton open
quotaon read relabelfrom relabelto rename setattr swapon unlink write
};
allow files_unconfined_type file_type:chr_file { append audit_access
create execute execute_no_trans getattr ioctl link lock map mounton
open quotaon read relabelfrom relabelto rename setattr swapon unlink
write };
allow files_unconfined_type file_type:dir { add_name append
audit_access create execmod execute getattr ioctl link lock map
mounton open quotaon read relabelfrom relabelto remove_name rename
reparent rmdir search setattr swapon unlink write };
allow files_unconfined_type file_type:fifo_file { append audit_access
create execmod execute getattr ioctl link lock map mounton open
quotaon read relabelfrom relabelto rename setattr swapon unlink write
};
allow files_unconfined_type file_type:file { append audit_access
create execute execute_no_trans getattr ioctl link lock map mounton
open quotaon read relabelfrom relabelto rename setattr swapon unlink
write };
allow files_unconfined_type file_type:lnk_file { append audit_access
create execmod execute getattr ioctl link lock map mounton open
quotaon read relabelfrom relabelto rename setattr swapon unlink write
};
allow files_unconfined_type file_type:sock_file { append audit_access
create execmod execute getattr ioctl link lock map mounton open
quotaon read relabelfrom relabelto rename setattr swapon unlink write
};
allow filesystem_unconfined_type filesystem_type:blk_file { append
audit_access create execmod execute getattr ioctl link lock map
mounton open quotaon read relabelfrom relabelto rename setattr swapon
unlink write };
allow filesystem_unconfined_type filesystem_type:chr_file { append
audit_access create entrypoint execmod execute execute_no_trans
getattr ioctl link lock map mounton open quotaon read relabelfrom
relabelto rename setattr swapon unlink write };
allow filesystem_unconfined_type filesystem_type:dir { add_name append
audit_access create execmod execute getattr ioctl link lock map
mounton open quotaon read relabelfrom relabelto remove_name rename
reparent rmdir search setattr swapon unlink write };
allow filesystem_unconfined_type filesystem_type:fifo_file { append
audit_access create execmod execute getattr ioctl link lock map
mounton open quotaon read relabelfrom relabelto rename setattr swapon
unlink write };
allow filesystem_unconfined_type filesystem_type:file { append
audit_access create execmod execute execute_no_trans getattr ioctl
link lock map mounton open quotaon read relabelfrom relabelto rename
setattr swapon unlink write };
allow filesystem_unconfined_type filesystem_type:lnk_file { append
audit_access create execmod execute getattr ioctl link lock map
mounton open quotaon read relabelfrom relabelto rename setattr swapon
unlink write };
allow filesystem_unconfined_type filesystem_type:sock_file { append
audit_access create execmod execute getattr ioctl link lock map
mounton open quotaon read relabelfrom relabelto rename setattr swapon
unlink write };
allow kern_unconfined proc_type:dir { add_name append audit_access
create execmod execute getattr ioctl link lock map mounton open
quotaon read relabelfrom relabelto remove_name rename reparent rmdir
search setattr swapon unlink write };
allow kern_unconfined proc_type:file { append audit_access create
execmod execute execute_no_trans getattr ioctl link lock map mounton
open quotaon read relabelfrom relabelto rename setattr swapon unlink
write };
allow kern_unconfined proc_type:lnk_file { append audit_access create
execmod execute getattr ioctl link lock map mounton open quotaon read
relabelfrom relabelto rename setattr swapon unlink write };
allow kern_unconfined sysctl_type:dir { add_name append audit_access
create execmod execute getattr ioctl link lock map mounton open
quotaon read relabelfrom relabelto remove_name rename reparent rmdir
search setattr swapon unlink write };
allow kern_unconfined sysctl_type:file { append audit_access create
execmod execute execute_no_trans getattr ioctl link lock map mounton
open quotaon read relabelfrom relabelto rename setattr swapon unlink
write };
allow kern_unconfined sysctl_type:lnk_file { append audit_access
create execmod execute getattr ioctl link lock map mounton open
quotaon read relabelfrom relabelto rename setattr swapon unlink write
};
allow swapfile_t swapfile_t:filesystem associate;
allow updfstab_t swapfile_t:file getattr;


I have no idea what it means.

I have no clue about SELinux.

-- 
Regards,
Sreyan Chakravarty
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx



[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux