Loading...

Type: Bug
Resolution: Unresolved
Priority: Undefined
Fix Version/s: rhel-10.0
Affects Version/s: rhel-10.0.beta
Component/s: swtpm
Labels:
- known_issue_100
- virt-arm

Regression:
No
Severity:
Critical

Pool Team:

rhel-sst-virtualization
Sub-System Group:

ssg_virtualization

Story Points:
5
ACKs Check:

QE ack
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
None
Sprint:
None

Acceptance Criteria:

Hide

The reproducer succeeds in creating, starting and running a new VM. The reproducer does not trigger SELinux denials.

Show
The reproducer succeeds in creating, starting and running a new VM. The reproducer does not trigger SELinux denials.
Preliminary Testing:
None
Test Coverage:
None

Experience:

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

What were you trying to do that didn't work?

VM can not start with a fresh image when enable selinux

Please provide the package NVR for which bug is seen:

# rpm -q libvirt qemu-kvm swtpm swtpm-selinux selinux-policy
libvirt-10.5.0-5.el10.x86_64
qemu-kvm-9.0.0-6.el10.x86_64
swtpm-0.9.0-2.el10.x86_64
swtpm-selinux-0.9.0-2.el10.noarch
selinux-policy-40.13.7-1.el10.noarch

How reproducible:

100%

Steps to reproduce

1. Get a fresh image, then start a vm with virt-install using this image:

# wget http://xxx.redhat.com/libvirt-CI-resources/RHEL-10.0-20240808.0-x86_64-ovmf.qcow2
...
Saving to: ‘RHEL-10.0-20240808.0-x86_64-ovmf.qcow2.2’
...
# virt-install -n test1 -r 2048 -f ./RHEL-10.0-20240808.0-x86_64-ovmf.qcow2.2  --import --machine q35 --boot uefi --noautoconsole  --osinfo detect=on,require=off
WARNING  Using --osinfo generic, VM performance may suffer. Specify an accurate OS for optimal results.

Starting install...
ERROR    internal error: Could not run '/usr/bin/swtpm_setup'. exitstatus: 1; Check error log '/var/log/swtpm/libvirt/qemu/test1-swtpm.log' for details.
Domain installation does not appear to have been successful.
If it was, you can restart your domain by running:
  virsh --connect qemu:///system start test1
otherwise, please restart your installation.

2. check the swtpm log and audit log:

# cat /var/log/swtpm/libvirt/qemu/test1-swtpm.log
swtpm at /usr/bin/swtpm does not support TPM 2
# ausearch -m avc
----
time->Sun Aug 11 23:55:06 2024
type=PROCTITLE msg=audit(1723434906.574:182): proctitle=2F7573722F62696E2F737774706D00736F636B6574002D2D7072696E742D6361706162696C6974696573002D2D6C6F670066696C653D2F7661722F6C6F672F737774706D2F6C6962766972742F71656D752F74657374312D737774706D2E6C6F67
type=SYSCALL msg=audit(1723434906.574:182): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=563fb28395a0 a2=20441 a3=180 items=0 ppid=2621 pid=2622 auid=4294967295 uid=59 gid=59 euid=59 suid=59 fsuid=59 egid=59 sgid=59 fsgid=59 tty=(none) ses=4294967295 comm="swtpm" exe="/usr/bin/swtpm" subj=system_u:system_r:swtpm_t:s0 key=(null)
type=AVC msg=audit(1723434906.574:182): avc:  denied  { open } for  pid=2622 comm="swtpm" path="/var/log/swtpm/libvirt/qemu/test1-swtpm.log" dev="dm-0" ino=769858 scontext=system_u:system_r:swtpm_t:s0 tcontext=system_u:object_r:virt_log_t:s0 tclass=file permissive=0
----
time->Sun Aug 11 23:55:06 2024
type=PROCTITLE msg=audit(1723434906.583:183): proctitle=2F7573722F7362696E2F7669727471656D7564002D2D74696D656F757400313230
type=SYSCALL msg=audit(1723434906.583:183): arch=c000003e syscall=188 success=yes exit=0 a0=56523aa093e0 a1=7f64ceec8197 a2=7f64b403d550 a3=1f items=0 ppid=1882 pid=2623 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc-virtqemud" exe="/usr/sbin/virtqemud" subj=system_u:system_r:virtqemud_t:s0 key=(null)
type=AVC msg=audit(1723434906.583:183): avc:  denied  { relabelfrom } for  pid=2623 comm="rpc-virtqemud" name="test1-swtpm.log" dev="dm-0" ino=769858 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:virt_log_t:s0 tclass=file permissive=1

3. but when run the same command the 2nd time, it pass, and only 1 more record about avc deny:

time->Mon Aug 12 00:27:35 2024
type=PROCTITLE msg=audit(1723436855.020:197): proctitle=2F7573722F7362696E2F7669727471656D7564002D2D74696D656F757400313230
type=SYSCALL msg=audit(1723436855.020:197): arch=c000003e syscall=188 success=yes exit=0 a0=7f451c0376a0 a1=7f45247f4197 a2=7f44b00048d0 a3=2d items=0 ppid=2715 pid=2945 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc-virtqemud" exe="/usr/sbin/virtqemud" subj=system_u:system_r:virtqemud_t:s0 key=(null)
type=AVC msg=audit(1723436855.020:197): avc:  denied  { relabelfrom } for  pid=2945 comm="rpc-virtqemud" name="2-test5-swtpm.sock" dev="tmpfs" ino=3568 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:virt_var_run_t:s0 tclass=sock_file permissive=1

Expected results

VM should start successfully

Actual results

VM can not start with selinux enabled with a fresh image

account is impacted by

RHEL-56725 The error message is misleading when swtpm can't open log file

New

blocks

RHEL-65460 [RHEL10][CS10][FTBFS] swtpm fails to build on CS10 and RHEL10

Planning

Details

Description

What were you trying to do that didn't work?

Please provide the package NVR for which bug is seen:

How reproducible:

Steps to reproduce

Expected results

Actual results

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates