-
Bug
-
Resolution: Unresolved
-
Normal
-
rhel-10.0.beta
What were you trying to do that didn't work?
Failed to start a vm with tpm device and none type seclable.
Please provide the package NVR for which bug is seen:
libvirt-10.5.0-5.el10.aarch64
qemu-kvm-9.0.0-6.el10.aarch64
kernel-6.10.0-15.el10.aarch64
selinux-policy-40.13.7-1.el10.noarch
swtpm-0.9.0-2.el10.aarch64
swtpm-selinux-0.9.0-2.el10.noarch
How reproducible:
100%
Steps to reproduce
- Prepare a vm with tpm and seclabel as below:
<tpm model='tpm-tis'> <backend type='emulator' version='2.0'/> </tpm> ... <seclabel type='none'/> </domain> - virsh start <vm name>
Expected results
The VM should be started up without error.
Actual results
It reports an error like below:
# virsh start avocado-vt-vm1 error: Failed to start domain 'avocado-vt-vm1' error: operation failed: swtpm died and reported: swtpm: Could not open logfile for writing: Permission denied
There are avc denied errors in audit log:
time->Tue Aug 13 02:33:44 2024
type=PROCTITLE msg=audit(1723530824.774:19313): proctitle=2F7573722F62696E2F737774706D00736F636B6574002D2D6374726C00747970653D756E6978696F2C706174683D2F72756E2F6C6962766972742F71656D752F737774706D2F312D61766F6361646F2D76742D766D312D737774706D2E736F636B2C6D6F64653D30363030002D2D74706D7374617465006469723D2F7661722F
type=EXECVE msg=audit(1723530824.774:19313): argc=10 a0="/usr/bin/swtpm" a1="socket" a2="--ctrl" a3="type=unixio,path=/run/libvirt/qemu/swtpm/1-avocado-vt-vm1-swtpm.sock,mode=0600" a4="--tpmstate" a5="dir=/var/lib/libvirt/swtpm/3b9c465e-5a75-4965-b355-59c91ddc1a67/tpm2,mode=0600" a6="--log" a7="file=/var/log/swtpm/libvirt/qemu/avocado-vt-vm1-swtpm.log" a8="--terminate" a9="--tpm2"
type=SYSCALL msg=audit(1723530824.774:19313): arch=c00000b7 syscall=221 success=yes exit=0 a0=ffff240281a0 a1=ffff24026030 a2=ffffc0705378 a3=1 items=0 ppid=1 pid=223478 auid=4294967295 uid=59 gid=59 euid=59 suid=59 fsuid=59 egid=59 sgid=59 fsgid=59 tty=(none) ses=4294967295 comm="swtpm" exe="/usr/bin/swtpm" subj=system_u:system_r:swtpm_t:s0 key=(null)
type=AVC msg=audit(1723530824.774:19313): avc: denied { write } for pid=223478 comm="swtpm" path="/run/libvirt/qemu/swtpm/1-avocado-vt-vm1-swtpm.pid" dev="tmpfs" ino=23820 scontext=system_u:system_r:swtpm_t:s0 tcontext=system_u:object_r:virtqemud_var_run_t:s0 tclass=file permissive=0
----
time->Tue Aug 13 02:33:44 2024
type=PROCTITLE msg=audit(1723530824.784:19314): proctitle=2F7573722F62696E2F737774706D00736F636B6574002D2D6374726C00747970653D756E6978696F2C706174683D2F72756E2F6C6962766972742F71656D752F737774706D2F312D61766F6361646F2D76742D766D312D737774706D2E736F636B2C6D6F64653D30363030002D2D74706D7374617465006469723D2F7661722F
type=SYSCALL msg=audit(1723530824.784:19314): arch=c00000b7 syscall=56 success=no exit=-13 a0=ffffffffffffff9c a1=aaadb3c645b0 a2=8441 a3=180 items=0 ppid=1 pid=223478 auid=4294967295 uid=59 gid=59 euid=59 suid=59 fsuid=59 egid=59 sgid=59 fsgid=59 tty=(none) ses=4294967295 comm="swtpm" exe="/usr/bin/swtpm" subj=system_u:system_r:swtpm_t:s0 key=(null)
type=AVC msg=audit(1723530824.784:19314): avc: denied { append } for pid=223478 comm="swtpm" name="avocado-vt-vm1-swtpm.log" dev="dm-0" ino=17136547 scontext=system_u:system_r:swtpm_t:s0 tcontext=system_u:object_r:svirt_image_t:s0 tclass=file permissive=0
Others:
No this problem if set 'setenforce 0'.
