Making swapfiles and SELinux

Daniel J Walsh dwalsh at redhat.com
Wed Mar 8 21:37:34 UTC 2006 

Daniel B. Thurman wrote:
> Hello,
>
> This is a modified repost from SELinux mailing list and
> repeated here only because I was not sure where this message
> is to be posted since it is a FC5-T3 issue.
>
> I have read previous posts regarding creating swapfiles
> under SELinux and supposedly a fix was done but the circumstances
> of this error is different.  SELinux refuses to allow a relabel via mkswap.  
>
> The steps to create a swapfile is:
>
> 1) dd if=/dev/zero of=/swapfile bs=1024 count=<SWAP-SIZE>
> 1.5) New step: chcon -t swapfile_t /swapfile
> 2) mkswap /swapfile
> 3) swapon /swapfile
> 4) Add entry to fstab
>
> A new security context of swapfile_t was added in FC-T3, and
> supposedly added to mkswap as well. I have have the latest YUM
> development updates for FC5-T3.
>
> Doing step (1.5) above results with a  "relabel" Permission denied:
>
>   
>> mkswap /swapfile
>>     
> mkswap: unable to relabel /swapfile to swapfile_t: Permission denied
>
> /var/log/audit/audit.log shows:
>
> type=AVC msg=audit(1141837284.182:194): avc:  denied  { ioctl } for  pid=3948 comm="mkswap" name="swapfile" dev=hda7 ino=107915 scontext=root:system_r:fsadm_t:s0-s0:c0.c255 tcontext=root:object_r:swapfile_t:s0 tclass=file
> type=SYSCALL msg=audit(1141837284.182:194): arch=40000003 syscall=54 success=no exit=-13 a0=3 a1=1260 a2=bf9c1ed0 a3=bf9c39fb items=0 pid=3948 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="mkswap" exe="/sbin/mkswap"
> type=AVC_PATH msg=audit(1141837284.182:194):  path="/swapfile"
> type=AVC msg=audit(1141837284.238:195): avc:  denied  { relabelfrom } for  pid=3948 comm="mkswap" name="swapfile" dev=hda7 ino=107915 scontext=root:system_r:fsadm_t:s0-s0:c0.c255 tcontext=root:object_r:swapfile_t:s0 tclass=file
> type=SYSCALL msg=audit(1141837284.238:195): arch=40000003 syscall=228 success=no exit=-13 a0=3 a1=250f66f a2=804a434 a3=b items=0 pid=3948 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="mkswap" exe="/sbin/mkswap"
>
> Please let me know what solution is needed!
>
> Kind regards,
> Dan
>
>
>   
This should be fixed in tomorrows rawhide.

More information about the fedora-test-list mailing list