-
Bug
-
Resolution: Unresolved
-
Major
-
rhel-10.0
-
selinux-policy-40.13.20-1.el10
-
No
-
Critical
-
2
-
rhel-sst-security-selinux
-
ssg_security
-
21
-
2
-
QE ack
-
False
-
-
No
-
SELINUX 241127 - 241218, SELINUX 250129: 1
-
Unspecified Release Note Type - Unknown
-
-
x86_64
-
None
What were you trying to do that didn't work?
Previously, the default vtpm state path /var/lib/libvirt/swtpm can be a NFS mounted one, introduced from bugzilla2130192. But in current rhel10.0 env, vm start failed with it.
What is the impact of this issue to you?
It block shared vtpm migration, CNV also uses this feature.
Please provide the package NVR for which the bug is seen:
selinux-policy-40.13.13-1.el10.noarch
libvirt-10.10.0-1.el10.x86_64
qemu-kvm-9.1.0-7.el10.x86_64
swtpm-0.9.0-4.el10.x86_64
libtpms-0.9.6-10.el10.x86_64
How reproducible is this bug?:
100%
Steps to reproduce
1. mount NFS to default vtpm path:
In nfs server /etc/exports:
/test/myswtpm *(rw,async,no_root_squash)
Test on client:
# mount NFSserver:/test/myswtpm /var/lib/libvirt/swtpm
2. define and start vm with default tpm state path
# virsh dumpxml avocado-vt-vm1 --xpath //tpm <tpm model="tpm-crb"> <backend type="emulator" version="2.0"/> </tpm> # virsh start avocado-vt-vm1 error: Failed to start domain 'avocado-vt-vm1' error: internal error: Could not run '/usr/bin/swtpm_setup'. exitstatus: 1; Check error log '/var/log/swtpm/libvirt/qemu/avocado-vt-vm1-swtpm.log' for details. # cat /var/log/swtpm/libvirt/qemu/avocado-vt-vm1-swtpm.log /usr/bin/swtpm exit with status 256: # ausearch -m avc ---- time->Thu Dec 12 02:46:07 2024 type=PROCTITLE msg=audit(1733989567.144:7124): proctitle=2F7573722F7362696E2F7669727471656D7564002D2D74696D656F757400313230 type=PATH msg=audit(1733989567.144:7124): item=1 name=(null) inode=69101249 dev=00:39 mode=040711 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:nfs_t:s0 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(1733989567.144:7124): item=0 name=(null) inode=134460593 dev=00:39 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:nfs_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(1733989567.144:7124): cwd="/" type=SYSCALL msg=audit(1733989567.144:7124): arch=c000003e syscall=83 success=yes exit=0 a0=7f59a0036800 a1=1c9 a2=3b a3=7f59a00008e0 items=2 ppid=1 pid=62542 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc-virtqemud" exe="/usr/sbin/virtqemud" subj=system_u:system_r:virtqemud_t:s0 key=(null) type=AVC msg=audit(1733989567.144:7124): avc: denied { create } for pid=62542 comm="rpc-virtqemud" name="ddb1380d-4c8d-420a-978f-31d1ad8c636e" scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=dir permissive=1 ---- time->Thu Dec 12 02:46:07 2024 type=PROCTITLE msg=audit(1733989567.153:7125): proctitle=2F7573722F7362696E2F7669727471656D7564002D2D74696D656F757400313230 type=SYSCALL msg=audit(1733989567.153:7125): arch=c000003e syscall=84 success=yes exit=0 a0=7f59a0046da0 a1=7f59a0159bb0 a2=100000 a3=7f59a0159b70 items=0 ppid=1 pid=62542 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc-virtqemud" exe="/usr/sbin/virtqemud" subj=system_u:system_r:virtqemud_t:s0 key=(null) type=AVC msg=audit(1733989567.153:7125): avc: denied { rmdir } for pid=62542 comm="rpc-virtqemud" name="tpm2" dev="0:57" ino=134460595 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=dir permissive=1
Expected results
Actual results
Additional info:
1. Set selinux to permissive can make it start succeed:
# setenforce 0
# virsh start avocado-vt-vm1
Domain 'avocado-vt-vm1' started
2. on rhel9.6 it does not reproduce
selinux-policy-38.1.48-1.el9.noarch
libvirt-10.10.0-1.el9.x86_64
qemu-kvm-9.1.0-6.el9.x86_64
swtpm-0.8.0-2.el9_4.x86_64
libtpms-0.9.1-4.20211126git1ff6fe1f43.el9.x86_64
- links to
-
RHBA-2024:140162
selinux-policy bug fix and enhancement update