-
Bug
-
Resolution: Unresolved
-
Normal
-
rhel-10.2
-
None
-
None
-
rhel-security-special-projects
-
None
-
False
-
False
-
-
None
-
None
-
None
-
None
-
Unspecified
-
Unspecified
-
Unspecified
-
-
x86_64, aarch64
-
None
What were you trying to do that didn't work?
During the latest testing cycle (CTC1), we identified a failure where the Clevis user is not correctly assigned to the tss security group. The issue stems from the migration process from Package Mode to Image Mode. The system prioritizes preserving the existing host configuration files over the new configuration provided by the image. Consequently, the new permission updates for Clevis are discarded during the merge.
What is the impact of this issue to you?
- User clevis is not in group tss.
- Clevis tries to access /dev/tpmrm0 (the TPM device).
- Clevis cannot retrieve the encryption key.
Please provide the package NVR for which the bug is seen:
clevis-21-8.el10.x86_64.rpm
How reproducible is this bug?:
Steps to reproduce
- clone git repo https://gitlab.cee.redhat.com/special-projects/tests/clevis.git
- execute image-mode-update.fmf Plan
testing-farm request --tmt-environment TMT_SCRIPTS_DIR=/var/lib/tmt/scripts --compose RHEL-10.2-20251118.1 --git-url https://gitlab.cee.redhat.com/special-projects/tests/clevis.git --git-ref master --plan /Plans/image-mode-update --arch x86_64 -c distro=rhel-10.2
Expected results
clevis user is part of the tss group
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Test :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ 18:50:19 ] :: [ BEGIN ] :: Running 'id clevis' uid=989(clevis) gid=987(clevis) groups=987(clevis),59(tss) :: [ 18:50:19 ] :: [ PASS ] :: Command 'id clevis' (Expected 0, got 0) :: [ 18:50:19 ] :: [ BEGIN ] :: Running 'grep -E 'groups=.clevis' /var/tmp/rlRun_LOG.t1ZmvP1i' uid=989(clevis) gid=987(clevis) groups=987(clevis),59(tss) :: [ 18:50:19 ] :: [ PASS ] :: Command 'grep -E 'groups=.clevis' /var/tmp/rlRun_LOG.t1ZmvP1i' (Expected 0, got 0) :: [ 18:50:19 ] :: [ BEGIN ] :: Running 'grep -E 'gid=.clevis' /var/tmp/rlRun_LOG.t1ZmvP1i' uid=989(clevis) gid=987(clevis) groups=987(clevis),59(tss) :: [ 18:50:19 ] :: [ PASS ] :: Command 'grep -E 'gid=.clevis' /var/tmp/rlRun_LOG.t1ZmvP1i' (Expected 0, got 0) :: [ 18:50:19 ] :: [ BEGIN ] :: Running 'grep -E 'uid=.clevis.tss' /var/tmp/rlRun_LOG.t1ZmvP1i' uid=989(clevis) gid=987(clevis) groups=987(clevis),59(tss) :: [ 18:50:20 ] :: [ PASS ] :: Command 'grep -E 'uid=.clevis.tss' /var/tmp/rlRun_LOG.t1ZmvP1i' (Expected 0, got 0) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 1s :: Assertions: 4 good, 0 bad :: RESULT: PASS (Test)
Actual results
clevis user is not part of the tss group
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Test :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ 14:13:13 ] :: [ BEGIN ] :: Running 'id clevis' uid=976(clevis) gid=976(clevis) groups=976(clevis) :: [ 14:13:13 ] :: [ PASS ] :: Command 'id clevis' (Expected 0, got 0) :: [ 14:13:13 ] :: [ BEGIN ] :: Running 'grep -E 'groups=.clevis' /var/tmp/rlRun_LOG.xGtfB5pQ' uid=976(clevis) gid=976(clevis) groups=976(clevis) :: [ 14:13:13 ] :: [ PASS ] :: Command 'grep -E 'groups=.clevis' /var/tmp/rlRun_LOG.xGtfB5pQ' (Expected 0, got 0) :: [ 14:13:13 ] :: [ BEGIN ] :: Running 'grep -E 'gid=.clevis' /var/tmp/rlRun_LOG.xGtfB5pQ' uid=976(clevis) gid=976(clevis) groups=976(clevis) :: [ 14:13:13 ] :: [ PASS ] :: Command 'grep -E 'gid=.clevis' /var/tmp/rlRun_LOG.xGtfB5pQ' (Expected 0, got 0) :: [ 14:13:13 ] :: [ BEGIN ] :: Running 'grep -E 'uid=.clevis.tss' /var/tmp/rlRun_LOG.xGtfB5pQ' :: [ 14:13:13 ] :: [ FAIL ] :: Command 'grep -E 'uid=.clevis.tss' /var/tmp/rlRun_LOG.xGtfB5pQ' (Expected 0, got 1) :: Test phase SELinux AVC denials since test phase start:: 11/21/25 14:13:13: :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Duration: 1s :: Assertions: 3 good, 1 bad :: RESULT: FAIL (Test)
- clones
-
-
- Planning
-