On Fri, Dec 11, 2020 at 8:26 PM Sreyan Chakravarty <sreyan32@xxxxxxxxx> wrote: > > On Fri, Dec 11, 2020 at 12:32 AM Chris Murphy <lists@xxxxxxxxxxxxxxxxx> wrote: > > > > If the journal doesn't have more information about why it says this, > > and if the error is reported in the journal by systemd-logind, enable > > debug logging for logind and reproduce and the try to figure out why > > logind is complaining: > > > > https://github.com/systemd/systemd/issues/15354#issuecomment-610385478 > > > > There is a possibility there isn't enough contiguous space in the > > swapfile for the hibernation image. i.e. when you fallocate the > > swapfile, it may be comprised of one or even dozens of separate > > extents and if one of them isn't big enough for hibernation entry then > > it'll always fail. > > > > As far as I'm aware there isn't a way to ask fallocate for a minimum > > extent size. I've sometimes had to fallocate multiple files in a row > > to get a swapfile with few fragments and then delete the rest. > > > > You can use filefrag -v to see the extent sizes. Those extents are > > basically holes that swap code writes into. The swap code isn't > > writing swap or hibernation images via Btrfs. It's just asking Btrfs > > "what are the ranges and locations I can use" and Btrfs reports that > > and then the swap and hibernation code use those areas directly. > > > > > > > $ lsattr /var/swap/fedora.swap > > > ---------------C---- /var/swap/fedora.swap > > > > > UUID=7d9dbe1b-dea6-4141-807b-026325123ad8 /var/swap > > > btrfs subvol=swap,rw,nodatacow,noattime,nosuid,x-systemd.device-timeout=0 > > > > OK you're confused. You do not need both chattr +C on the file and the > > nodatacow option. You only need one of those. You should realize that > > the nodatacow option applies file system wide. It's non-obvious but > > really only the VFS mount options can apply separately to bind mounts. > > And on Fedora, since subvolumes are mounted to specific mounts points > > and are thus effectively bind mounts behind the scenes, it seems like > > you can apply some mount options to specific subvolumes as if they are > > separate file systems. But that's not what's going on, they're just > > bind mounts. So you can do atime for one mount point, noatime for > > another. And same for ro or rw. Those are VFS options. The Btrfs mount > > options apply file system wide, that includes nodatacow, compress, and > > so on. > > > > Further problem now that you're using nodatacow is that you have a > > bunch of nodatacow files that have been created in the meantime. And > > those do *not* have chattr +C so you have no easy way to find them. > > You'd have to parse 'btrfs inspect-internal dump-tree' for the > > nodatacow flag. > > > > nodatacow files are also no compression and no data checksums. So I'm > > betting this is not what you want. > > > > > It's a SELinux error. Are there any SELinux experts here ? > > I ran the command: > > $ sudo ausearch -m AVC,USER_AVC,SELINUX_ERR -ts recent > > and got the error: > > time->Fri Dec 11 20:19:20 2020 > type=AVC msg=audit(1607698160.378:357): avc: denied { search } for > pid=1362 comm="systemd-logind" name="swap" dev="dm-0" ino=256 > scontext=system_u:system_r:systemd_logind_t:s0 > tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=0 > > > If I run the command: > > $ /sbin/restorecon /var/swap/fedora.swap > > I get the following error: > > time->Fri Dec 11 19:59:56 2020 > type=AVC msg=audit(1607696996.854:323): avc: denied { read } for > pid=2523 comm="systemd-sleep" name="fedora.swap" dev="dm-0" ino=257 > scontext=system_u:system_r:init_t:s0 > tcontext=unconfined_u:object_r:var_t:s0 tclass=file permissive=0 > > > My current SELinux label is : > > unconfined_u:object_r:swapfile_t:s0 /var/swap/fedora.swap > > When I run "/sbin/restorecon", the label changes to : > > unconfined_u:object_r:var_t:s0 /var/swap/fedora.swap > > IIRC, the correct label is etc_runtime or something like that. > > Can any SELinux expert help me ? > > -- > Regards, > Sreyan Chakravarty I also got the following allow rules from "sesearch --allow | grep swap" allow devices_unconfined_type device_node:blk_file { append audit_access create execmod execute getattr ioctl link lock map mounton open quotaon read relabelfrom relabelto rename setattr swapon unlink write }; allow devices_unconfined_type device_node:chr_file { append audit_access create execute execute_no_trans getattr ioctl link lock map mounton open quotaon read relabelfrom relabelto rename setattr swapon unlink write }; allow devices_unconfined_type device_node:file { append audit_access create execute execute_no_trans getattr ioctl link lock map mounton open quotaon read relabelfrom relabelto rename setattr swapon unlink write }; allow devices_unconfined_type device_node:lnk_file { append audit_access create execmod execute getattr ioctl link lock map mounton open quotaon read relabelfrom relabelto rename setattr swapon unlink write }; allow files_unconfined_type file_type:blk_file { append audit_access create execmod execute getattr ioctl link lock map mounton open quotaon read relabelfrom relabelto rename setattr swapon unlink write }; allow files_unconfined_type file_type:chr_file { append audit_access create execute execute_no_trans getattr ioctl link lock map mounton open quotaon read relabelfrom relabelto rename setattr swapon unlink write }; allow files_unconfined_type file_type:dir { add_name append audit_access create execmod execute getattr ioctl link lock map mounton open quotaon read relabelfrom relabelto remove_name rename reparent rmdir search setattr swapon unlink write }; allow files_unconfined_type file_type:fifo_file { append audit_access create execmod execute getattr ioctl link lock map mounton open quotaon read relabelfrom relabelto rename setattr swapon unlink write }; allow files_unconfined_type file_type:file { append audit_access create execute execute_no_trans getattr ioctl link lock map mounton open quotaon read relabelfrom relabelto rename setattr swapon unlink write }; allow files_unconfined_type file_type:lnk_file { append audit_access create execmod execute getattr ioctl link lock map mounton open quotaon read relabelfrom relabelto rename setattr swapon unlink write }; allow files_unconfined_type file_type:sock_file { append audit_access create execmod execute getattr ioctl link lock map mounton open quotaon read relabelfrom relabelto rename setattr swapon unlink write }; allow filesystem_unconfined_type filesystem_type:blk_file { append audit_access create execmod execute getattr ioctl link lock map mounton open quotaon read relabelfrom relabelto rename setattr swapon unlink write }; allow filesystem_unconfined_type filesystem_type:chr_file { append audit_access create entrypoint execmod execute execute_no_trans getattr ioctl link lock map mounton open quotaon read relabelfrom relabelto rename setattr swapon unlink write }; allow filesystem_unconfined_type filesystem_type:dir { add_name append audit_access create execmod execute getattr ioctl link lock map mounton open quotaon read relabelfrom relabelto remove_name rename reparent rmdir search setattr swapon unlink write }; allow filesystem_unconfined_type filesystem_type:fifo_file { append audit_access create execmod execute getattr ioctl link lock map mounton open quotaon read relabelfrom relabelto rename setattr swapon unlink write }; allow filesystem_unconfined_type filesystem_type:file { append audit_access create execmod execute execute_no_trans getattr ioctl link lock map mounton open quotaon read relabelfrom relabelto rename setattr swapon unlink write }; allow filesystem_unconfined_type filesystem_type:lnk_file { append audit_access create execmod execute getattr ioctl link lock map mounton open quotaon read relabelfrom relabelto rename setattr swapon unlink write }; allow filesystem_unconfined_type filesystem_type:sock_file { append audit_access create execmod execute getattr ioctl link lock map mounton open quotaon read relabelfrom relabelto rename setattr swapon unlink write }; allow kern_unconfined proc_type:dir { add_name append audit_access create execmod execute getattr ioctl link lock map mounton open quotaon read relabelfrom relabelto remove_name rename reparent rmdir search setattr swapon unlink write }; allow kern_unconfined proc_type:file { append audit_access create execmod execute execute_no_trans getattr ioctl link lock map mounton open quotaon read relabelfrom relabelto rename setattr swapon unlink write }; allow kern_unconfined proc_type:lnk_file { append audit_access create execmod execute getattr ioctl link lock map mounton open quotaon read relabelfrom relabelto rename setattr swapon unlink write }; allow kern_unconfined sysctl_type:dir { add_name append audit_access create execmod execute getattr ioctl link lock map mounton open quotaon read relabelfrom relabelto remove_name rename reparent rmdir search setattr swapon unlink write }; allow kern_unconfined sysctl_type:file { append audit_access create execmod execute execute_no_trans getattr ioctl link lock map mounton open quotaon read relabelfrom relabelto rename setattr swapon unlink write }; allow kern_unconfined sysctl_type:lnk_file { append audit_access create execmod execute getattr ioctl link lock map mounton open quotaon read relabelfrom relabelto rename setattr swapon unlink write }; allow swapfile_t swapfile_t:filesystem associate; allow updfstab_t swapfile_t:file getattr; I have no idea what it means. I have no clue about SELinux. -- Regards, Sreyan Chakravarty _______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx