Missing permissions to swapfile_t for systemd_login_t and systemd_sleep_t

[mtalexan]

Per a write up on the Fedora Forum, when setting up a swapfile the file usually needs to be in a dedicated directory so it can be managed separately by the file system (e.g. a separate BTRFS subvolume). That directory seems to need to be labeled with the standard swapfile_t label, which of course is a unique-per-system configuration.

However, once labeled, sleeping is blocked by an AVC denial because the systemd_login_t process needs to be able to do a search on the swap_file_t domain to find the swapfile itself in the dedicated and labeled swapfile folder.

Even after this permission is granted, hibernation/suspend-to-disk runs into the same problem from systemd_sleep_t.

Unless I'm mistaken, it seems like the following should be part of this base policy:

#============= systemd_logind_t ==============
allow systemd_logind_t swapfile_t:dir search;

#============= systemd_sleep_t ==============
allow systemd_sleep_t swapfile_t:dir search;

---

The only other thing I can think of is if the directory containing the swapfile is expected to be labeled some other way, while the swapfile itself is the only thing labled as swapfile_t? But if so, what's the expected label on the dedicated directory?

[mtalexan]

Link to the mention of the second missing permission: https://discussion.fedoraproject.org/t/setup-hibernation-on-silverblue-kionite/78834/20

[zpytela]

@mtalexan The policy does not define any path with swapfile_t as the default type and all rules just take into account files with this type, so it looks like a design. Both sleep and logind can search a few dozens of directory types, so if no one fits the system's policy, I'd leave it to admins who can create a local SELinux policy module unless any recommendation or best practice documentation exists.