-
Bug
-
Resolution: Unresolved
-
Critical
-
rhel-10.1
-
selinux-policy-42.1.3-1.el10
-
Yes
-
Critical
-
1
-
rhel-security-selinux
-
24
-
2
-
QE ack
-
False
-
False
-
-
No
-
SELINUX 250806: 10
-
Release Note Not Required
-
Unspecified
-
Unspecified
-
Unspecified
-
None
What were you trying to do that didn't work?
start vm with encrypted vtpm, it fails with 'avc: denied' error.
What is the impact of this issue to you?
Layer product openshift use encrypted vtpm feature
Please provide the package NVR for which the bug is seen:
selinux-policy-42.1.1-1.el10.noarch
libvirt-11.5.0-1.el10.x86_64
qemu-kvm-10.0.0-7.el10.x86_64
swtpm-0.9.0-5.el10.x86_64
libtpms-0.9.6-11.el10.x86_64
openssl-3.5.1-1.el10.x86_64
edk2-ovmf-20250523-2.el10.noarch
How reproducible is this bug?:
100%
Steps to reproduce
1.Prepare a vtpm secret with value:
# vim vtpm-secret.xml <secret ephemeral='no' private='yes'> <description>sample vTPM secret</description> <usage type='vtpm'> <name>VTPM_example</name> </usage> </secret> # virsh secret-define vtpm-secret.xml # echo "open sesame" > secretinfile # virsh secret-set-value 1ae14543-4c63-40fd-8b7d-675ca0604b1e --file secretinfile --plain
2. Define a vm with encrypted vtpm:
# virsh define vm.xml # virsh dumpxml avocado-vt-vm1 --xpath //tpm <tpm model="tpm-crb"> <backend type="emulator" version="2.0"> <encryption secret="1ae14543-4c63-40fd-8b7d-675ca0604b1e"/> </backend> <alias name="tpm0"/> </tpm>
3. Try to start vm
# virsh start avocado-vt-vm1 error: Failed to start domain 'avocado-vt-vm1' error: internal error: QEMU unexpectedly closed the monitor (vm='avocado-vt-vm1'): 2025-07-16T15:00:03.616726Z qemu-kvm: tpm-emulator: TPM result for CMD_INIT: 0x101 operation failed
4. check audit record
# ausearch -m avc -ts recent ---- time->Wed Jul 16 11:00:03 2025 type=PROCTITLE msg=audit(1752678003.191:937): proctitle=2F7573722F62696E2F737774706D00736F636B6574002D2D6374726C00747970653D756E6978696F2C706174683D2F72756E2F6C6962766972742F71656D752F737774706D2F312D61766F6361646F2D76742D766D312D737774706D2E736F636B2C6D6F64653D30363030002D2D74706D7374617465006469723D2F7661722F type=EXECVE msg=audit(1752678003.191:937): argc=14 a0="/usr/bin/swtpm" a1="socket" a2="--ctrl" a3="type=unixio,path=/run/libvirt/qemu/swtpm/1-avocado-vt-vm1-swtpm.sock,mode=0600" a4="--tpmstate" a5="dir=/var/lib/libvirt/swtpm/fa56e914-81ca-43a2-889d-2351a66e4b7a/tpm2,mode=0600" a6="--log" a7="file=/var/log/swtpm/libvirt/qemu/avocado-vt-vm1-swtpm.log" a8="--terminate" a9="--tpm2" a10="--key" a11="pwdfd=27,mode=aes-256-cbc" a12="--migration-key" a13="pwdfd=29,mode=aes-256-cbc" type=SYSCALL msg=audit(1752678003.191:937): arch=c000003e syscall=59 success=yes exit=0 a0=7f543403e110 a1=7f543404c7d0 a2=7ffcf8274438 a3=2 items=0 ppid=1 pid=38059 auid=4294967295 uid=59 gid=59 euid=59 suid=59 fsuid=59 egid=59 sgid=59 fsgid=59 tty=(none) ses=4294967295 comm="swtpm" exe="/usr/bin/swtpm" subj=system_u:system_r:svirt_t:s0:c371,c986 key=(null) type=AVC msg=audit(1752678003.191:937): avc: denied { read } for pid=38059 comm="swtpm" path="pipe:[14966]" dev="pipefs" ino=14966 scontext=system_u:system_r:svirt_t:s0:c371,c986 tcontext=system_u:system_r:virtqemud_t:s0 tclass=fifo_file permissive=0 type=AVC msg=audit(1752678003.191:937): avc: denied { read } for pid=38059 comm="swtpm" path="pipe:[14964]" dev="pipefs" ino=14964 scontext=system_u:system_r:svirt_t:s0:c371,c986 tcontext=system_u:system_r:virtqemud_t:s0 tclass=fifo_file permissive=0
Expected results
vm with encrypted vtpm should be started successfully
Actual results
Additional info:
1. Not reproduced on selinux-policy-40.13.35-1.el10.noarch before. And if I downgrade to this version, the failed vm can start.
2. This issue was fixed before: RHEL-40350 , RHEL-48236
- links to
-
RHBA-2025:147963
selinux-policy bug fix and enhancement update