Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-132187

[RHEL-9.8] Image Mode - clevis | clevis user not part of the required group after installation

Linking RHIVOS CVEs to...Migration: Automation ...Sync from "Extern...XMLWordPrintable

    • clevis-21-209.el9
    • Yes
    • Moderate
    • rhel-security-special-projects
    • 26
    • 1
    • False
    • False
    • Hide

      None

      Show
      None
    • Yes
    • None
    • Bug Fix
    • Hide
      Cause:
      In Image Mode systems, user and group membership updates from package installations were not properly applied when migrating from Package Mode to Image Mode.

      Consequence:
      The clevis user was not added to the tss security group, preventing Clevis from accessing the TPM device. This resulted in failure to retrieve encryption keys during system boot.

      Fix:
      The Clevis package installation process was updated to ensure that the clevis user is properly added to the tss group during Image Mode updates, even when existing configuration files are preserved.

      Result:
      The clevis user is now correctly assigned to the tss group during Image Mode installation and updates, allowing proper access to the TPM device and successful encryption key retrieval.
      Show
      Cause: In Image Mode systems, user and group membership updates from package installations were not properly applied when migrating from Package Mode to Image Mode. Consequence: The clevis user was not added to the tss security group, preventing Clevis from accessing the TPM device. This resulted in failure to retrieve encryption keys during system boot. Fix: The Clevis package installation process was updated to ensure that the clevis user is properly added to the tss group during Image Mode updates, even when existing configuration files are preserved. Result: The clevis user is now correctly assigned to the tss group during Image Mode installation and updates, allowing proper access to the TPM device and successful encryption key retrieval.
    • Proposed
    • Unspecified
    • Unspecified
    • Unspecified
    • x86_64, aarch64
    • None

      What were you trying to do that didn't work?
      During the latest testing cycle (CTC1), we identified a failure where the Clevis user is not correctly assigned to the tss security group. The issue stems from the migration process from Package Mode to Image Mode. The system prioritizes preserving the existing host configuration files over the new configuration provided by the image. Consequently, the new permission updates for Clevis are discarded during the merge.

      What is the impact of this issue to you?

      1. User clevis is not in group tss.
      1. Clevis tries to access /dev/tpmrm0 (the TPM device).
      1. Clevis cannot retrieve the encryption key.

      Please provide the package NVR for which the bug is seen:
      clevis-21-208.el9.x86_64.rpm

      How reproducible is this bug?:

      Steps to reproduce

      1. clone git repo https://gitlab.cee.redhat.com/special-projects/tests/clevis.git
      2. execute image-mode-update.fmf Plan 
        • testing-farm request --tmt-environment TMT_SCRIPTS_DIR=/var/lib/tmt/scripts --compose RHEL-9.8.0-20251118.1 --git-url https://gitlab.cee.redhat.com/special-projects/tests/clevis.git --git-ref master --plan /Plans/image-mode-update --arch x86_64 -c distro=rhel-9.8

      Expected results
      clevis user is part of the tss group

      ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   Test
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [ 18:50:19 ] :: [  BEGIN   ] :: Running 'id clevis'
uid=989(clevis) gid=987(clevis) groups=987(clevis),59(tss)
:: [ 18:50:19 ] :: [   PASS   ] :: Command 'id clevis' (Expected 0, got 0)
:: [ 18:50:19 ] :: [  BEGIN   ] :: Running 'grep -E 'groups=.clevis' /var/tmp/rlRun_LOG.t1ZmvP1i'
uid=989(clevis) gid=987(clevis) groups=987(clevis),59(tss)
:: [ 18:50:19 ] :: [   PASS   ] :: Command 'grep -E 'groups=.clevis' /var/tmp/rlRun_LOG.t1ZmvP1i' (Expected 0, got 0)
:: [ 18:50:19 ] :: [  BEGIN   ] :: Running 'grep -E 'gid=.clevis' /var/tmp/rlRun_LOG.t1ZmvP1i'
uid=989(clevis) gid=987(clevis) groups=987(clevis),59(tss)
:: [ 18:50:19 ] :: [   PASS   ] :: Command 'grep -E 'gid=.clevis' /var/tmp/rlRun_LOG.t1ZmvP1i' (Expected 0, got 0)
:: [ 18:50:19 ] :: [  BEGIN   ] :: Running 'grep -E 'uid=.clevis.tss' /var/tmp/rlRun_LOG.t1ZmvP1i'
uid=989(clevis) gid=987(clevis) groups=987(clevis),59(tss)
:: [ 18:50:20 ] :: [   PASS   ] :: Command 'grep -E 'uid=.clevis.tss' /var/tmp/rlRun_LOG.t1ZmvP1i' (Expected 0, got 0)
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   Duration: 1s
::   Assertions: 4 good, 0 bad
::   RESULT: PASS (Test)

      Actual results
      clevis user is not part of the tss group

      ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   Test
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [ 14:13:13 ] :: [  BEGIN   ] :: Running 'id clevis'
uid=976(clevis) gid=976(clevis) groups=976(clevis)
:: [ 14:13:13 ] :: [   PASS   ] :: Command 'id clevis' (Expected 0, got 0)
:: [ 14:13:13 ] :: [  BEGIN   ] :: Running 'grep -E 'groups=.clevis' /var/tmp/rlRun_LOG.xGtfB5pQ'
uid=976(clevis) gid=976(clevis) groups=976(clevis)
:: [ 14:13:13 ] :: [   PASS   ] :: Command 'grep -E 'groups=.clevis' /var/tmp/rlRun_LOG.xGtfB5pQ' (Expected 0, got 0)
:: [ 14:13:13 ] :: [  BEGIN   ] :: Running 'grep -E 'gid=.clevis' /var/tmp/rlRun_LOG.xGtfB5pQ'
uid=976(clevis) gid=976(clevis) groups=976(clevis)
:: [ 14:13:13 ] :: [   PASS   ] :: Command 'grep -E 'gid=.clevis' /var/tmp/rlRun_LOG.xGtfB5pQ' (Expected 0, got 0)
:: [ 14:13:13 ] :: [  BEGIN   ] :: Running 'grep -E 'uid=.clevis.tss' /var/tmp/rlRun_LOG.xGtfB5pQ'
:: [ 14:13:13 ] :: [   FAIL   ] :: Command 'grep -E 'uid=.clevis.tss' /var/tmp/rlRun_LOG.xGtfB5pQ' (Expected 0, got 1)
:: Test phase SELinux AVC denials since test phase start:: 11/21/25 14:13:13:

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   Duration: 1s
::   Assertions: 3 good, 1 bad
::   RESULT: FAIL (Test)

              scorreia@redhat.com Sergio Correia
              rh-ee-aprikryl Adam Prikryl
              Sergio Correia Sergio Correia
              Adam Prikryl Adam Prikryl
              Mirek Jahoda Mirek Jahoda
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated: