-
Bug
-
Resolution: Unresolved
-
Undefined
-
rhel-10.0
-
swtpm-0.9.0-5.el10
-
No
-
Critical
-
rhel-sst-virtualization
-
ssg_virtualization
-
3
-
False
-
-
None
-
None
-
Pass
-
RegressionOnly
-
-
x86_64
-
None
What were you trying to do that didn't work?
libvirt starts to support user specifying vtpm state to a file or dir from bug RHEL-54325. But vm starting failed on rhel10.0 due to selinux issue.
What is the impact of this issue to you?
Please provide the package NVR for which the bug is seen:
selinux-policy-40.13.13-1.el10.noarch
libvirt-10.10.0-1.el10.x86_64
qemu-kvm-9.1.0-7.el10.x86_64
swtpm-0.9.0-4.el10.x86_64
libtpms-0.9.6-10.el10.x86_64
How reproducible is this bug?:
100%
Steps to reproduce
1. prepare a vm with vtpm pointing to a user specified state dir <tpm model="tpm-crb"> <backend type="emulator" version="2.0"> <source type="dir" path="/mytpmtest/myDir"/> </backend> <alias name="tpm0"/> </tpm> # mkdir -p /mytpmtest/myDir 2. try to start vm # virsh start avocado-vt-vm1 error: Failed to start domain 'avocado-vt-vm1' error: internal error: Could not run '/usr/bin/swtpm_setup'. exitstatus: -421535969; Check error log '/var/log/swtpm/libvirt/qemu/avocado-vt-vm1-swtpm.log' for details. check swtpm log: Starting vTPM manufacturing as tss:tss @ Tue 10 Dec 2024 09:24:44 PM EST SWTPM_NVRAM_StoreData: Error (fatal) opening /mytpmtest/myDir/TMP2-00.permall for write failed, Permission denied SWTPM_NVRAM_Lock_Dir: Could not open lockfile: Permission denied Could not receive response to TPM2_CreatePrimary(RSA) from swtpm: Connection reset by peer create_ek failed: 0x1 # ausearch -m avc ---- time->Tue Dec 10 21:23:06 2024 type=PROCTITLE msg=audit(1733883786.864:15140): proctitle=2F7573722F62696E2F737774706D00736F636B6574002D2D666C616773006E6F742D6E6565642D696E69742C737461727475702D636C656172002D2D74706D7374617465006261636B656E642D7572693D6469723A2F2F2F6D7974706D746573742F6D79446972002D2D7069640066696C653D2F746D702F2E737774706D5F73 type=SYSCALL msg=audit(1733883786.864:15140): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7ffff3db3a10 a2=20241 a3=1a0 items=0 ppid=1 pid=207343 auid=4294967295 uid=59 gid=59 euid=59 suid=59 fsuid=59 egid=59 sgid=59 fsgid=59 tty=(none) ses=4294967295 comm="swtpm" exe="/usr/bin/swtpm" subj=system_u:system_r:swtpm_t:s0 key=(null) type=AVC msg=audit(1733883786.864:15140): avc: denied { write } for pid=207343 comm="swtpm" name="myDir" dev="dm-0" ino=5261597 scontext=system_u:system_r:swtpm_t:s0 tcontext=unconfined_u:object_r:default_t:s0 tclass=dir permissive=0 ---- time->Tue Dec 10 21:23:06 2024 type=PROCTITLE msg=audit(1733883786.864:15141): proctitle=2F7573722F62696E2F737774706D00736F636B6574002D2D666C616773006E6F742D6E6565642D696E69742C737461727475702D636C656172002D2D74706D7374617465006261636B656E642D7572693D6469723A2F2F2F6D7974706D746573742F6D79446972002D2D7069640066696C653D2F746D702F2E737774706D5F73 type=SYSCALL msg=audit(1733883786.864:15141): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=55e19a764550 a2=20241 a3=1b0 items=0 ppid=1 pid=207343 auid=4294967295 uid=59 gid=59 euid=59 suid=59 fsuid=59 egid=59 sgid=59 fsgid=59 tty=(none) ses=4294967295 comm="swtpm" exe="/usr/bin/swtpm" subj=system_u:system_r:swtpm_t:s0 key=(null) type=AVC msg=audit(1733883786.864:15141): avc: denied { write } for pid=207343 comm="swtpm" name="myDir" dev="dm-0" ino=5261597 scontext=system_u:system_r:swtpm_t:s0 tcontext=unconfined_u:object_r:default_t:s0 tclass=dir permissive=0 ---- time->Tue Dec 10 21:23:06 2024 type=PROCTITLE msg=audit(1733883786.866:15142): proctitle=2F7573722F7362696E2F7669727471656D7564002D2D74696D656F757400313230 type=SYSCALL msg=audit(1733883786.866:15142): arch=c000003e syscall=84 success=yes exit=0 a0=7f8de00578f0 a1=7f8de0047cd0 a2=8000 a3=802 items=0 ppid=1 pid=206212 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc-virtqemud" exe="/usr/sbin/virtqemud" subj=system_u:system_r:virtqemud_t:s0 key=(null) type=AVC msg=audit(1733883786.866:15142): avc: denied { rmdir } for pid=206212 comm="rpc-virtqemud" name="myDir" dev="dm-0" ino=5261597 scontext=system_u:system_r:virtqemud_t:s0 tcontext=unconfined_u:object_r:default_t:s0 tclass=dir permissive=1 ---- time->Tue Dec 10 21:23:06 2024 type=PROCTITLE msg=audit(1733883786.866:15143): proctitle=2F7573722F7362696E2F7669727471656D7564002D2D74696D656F757400313230 type=SYSCALL msg=audit(1733883786.866:15143): arch=c000003e syscall=84 success=yes exit=0 a0=7f8de005b170 a1=7f8de003fc90 a2=8000 a3=7f8de00008e0 items=0 ppid=1 pid=206212 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc-virtqemud" exe="/usr/sbin/virtqemud" subj=system_u:system_r:virtqemud_t:s0 key=(null) type=AVC msg=audit(1733883786.866:15143): avc: denied { rmdir } for pid=206212 comm="rpc-virtqemud" name="mytpmtest" dev="dm-0" ino=71764793 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1
If set selinux to permissive, start can succeed:
# setenforce 0
# virsh start avocado-vt-vm1
Domain 'avocado-vt-vm1' started
Expected results
Actual results
Additional info:
1.Not reproduced on rhel9.6 with:
selinux-policy-38.1.48-1.el9.noarch
libvirt-10.10.0-1.el9.x86_64
swtpm-0.8.0-2.el9_4.x86_64
qemu-kvm-9.1.0-6.el9.x86_64
libtpms-0.9.1-4.20211126git1ff6fe1f43.el9.x86_64
- links to
-
RHBA-2024:143324
swtpm bug fix and enhancement update
