Loading...

Linking RHIVOS CVEs to...

Migration: Automation ...

SWIFT: POC Conversion

Sync from "Extern...

XML

Word

Printable

Type: Bug
Resolution: Not a Bug
Priority: Minor
Fix Version/s: rhel-9.6
Affects Version/s: rhel-10.0
Component/s: selinux-policy
Labels:
- virt-selinux

Regression:
No
Severity:
Important
Epic Link:
SELINUX-3594

AssignedTeam:
rhel-security-selinux
Sub-System Group:

ssg_security

Story Points:
0.5
Blocked:
False
Ready:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
No
Sprint:
None

Preliminary Testing:
None
Test Coverage:
None

Release Note Type:
Unspecified Release Note Type - Unknown

Experience:
Architecture:

x86_64

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

What were you trying to do that didn't work?

Bug RHEL-71073 requires block device as vtpm state storage for openshift. Starting with vtpm state on block device now works in rhel9.6 test, but failed on rhel10.0 due to selinux issue.

What is the impact of this issue to you?

Openshift LP requires this feature.

Please provide the package NVR for which the bug is seen:

selinux-policy-40.13.16-1.el10.noarch
libvirt-10.10.0-1.el10.x86_64
qemu-kvm-9.1.0-7.el10.x86_64
swtpm-0.9.0-4.el10.x86_64
libtpms-0.9.6-10.el10.x86_64

How reproducible is this bug?:

100%

Steps to reproduce

1. Prepare block device:

#lsscsi
…
 [15:0:0:0]   disk    LIO-ORG  ISCSI-test       4.0   /dev/sdb 
# df -hT 
… 
/dev/sdb1  xfs       2.0G   71M  1.9G   4% /var/lib/libvirt/swtpm
 
# ls /var/lib/libvirt/swtpm/
(nothing output)

2. start vm

 <tpm model="tpm-crb">
  <backend type="emulator" version="2.0">
  <source type="dir" path="/var/lib/libvirt/swtpm/myDir"/>
  </backend>
</tpm> 
# virsh start avocado-vt-vm1
error: Failed to start domain 'avocado-vt-vm1' 
error: Cannot delete directory '/var/lib/libvirt/swtpm': Device or resource busy 
# cat /var/log/swtpm/libvirt/qemu/avocado-vt-vm1-swtpm.log  /usr/bin/swtpm exit with status 256:  
# ausearch -m avc
 ---- time->Thu Dec 12 09:54:43 2024 type=PROCTITLE msg=audit(1734015283.261:1729): proctitle=2F7573722F7362696E2F7669727471656D7564002D2D74696D656F757400313230 type=PATH msg=audit(1734015283.261:1729): item=1 name=(null) inode=2228352 dev=08:11 mode=040700 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:unlabeled_t:s0 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(1734015283.261:1729): item=0 name=(null) inode=128 dev=08:11 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:unlabeled_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(1734015283.261:1729): cwd="/" type=SYSCALL msg=audit(1734015283.261:1729): arch=c000003e syscall=83 success=yes exit=0 a0=7f3cf4024ba0 a1=1c0 a2=ffffffffffffff78 a3=0 items=2 ppid=1 pid=24117 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc-virtqemud" exe="/usr/sbin/virtqemud" subj=system_u:system_r:virtqemud_t:s0 key=(null) type=AVC msg=audit(1734015283.261:1729): avc:  denied  { create } for  pid=24117 comm="rpc-virtqemud" name="myDir" scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1734015283.261:1729): avc:  denied  { add_name } for  pid=24117 comm="rpc-virtqemud" name="myDir" scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1 ---- time->Thu Dec 12 09:54:43 2024 type=PROCTITLE msg=audit(1734015283.279:1730): proctitle=2F7573722F7362696E2F7669727471656D7564002D2D74696D656F757400313230 type=SYSCALL msg=audit(1734015283.279:1730): arch=c000003e syscall=84 success=yes exit=0 a0=7f3cdc0478d0 a1=7f3cdc057fb0 a2=8000 a3=802 items=0 ppid=1 pid=24117 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rpc-virtqemud" exe="/usr/sbin/virtqemud" subj=system_u:system_r:virtqemud_t:s0 key=(null) type=AVC msg=audit(1734015283.279:1730): avc:  denied  { rmdir } for  pid=24117 comm="rpc-virtqemud" name="myDir" dev="sdb1" ino=2228352 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1734015283.279:1730): avc:  denied  { remove_name } for  pid=24117 comm="rpc-virtqemud" name="myDir" dev="sdb1" ino=2228352 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1

Expected results

Actual results

Additional info:

1. The same local path works well if it’s not a block device, so not same issue with ~~RHEL-70835~~

# umount /var/lib/libvirt/swtpm
# virsh start avocado-vt-vm1 
Domain 'avocado-vt-vm1' started

2. 'setenforce 0' can also make it succeed.

3. On rhel9.6, it can succeed without this issue.

selinux-policy-38.1.48-1.el9.noarch
libvirt-10.10.0-1.el9.x86_64
qemu-kvm-9.1.0-6.el9.x86_64
swtpm-0.8.0-2.el9_4.x86_64
libtpms-0.9.1-4.20211126git1ff6fe1f43.el9.x86_64

Assignee:: Zdenek Pytela

Reporter:: Yanqiu Zhang

Developer:: Zdenek Pytela

QA Contact:: SSG Security QE

Votes:: 0 Vote for this issue

Watchers:: 7 Start watching this issue

Created:: 2024/12/12 3:30 PM

Updated:: 2025/01/14 8:19 PM

Resolved:: 2025/01/14 8:19 PM

Details

Description

What were you trying to do that didn't work?

What is the impact of this issue to you?

Please provide the package NVR for which the bug is seen:

How reproducible is this bug?:

Steps to reproduce

Expected results

Actual results

Attachments

Easy Agile Planning Poker

Activity

People

Dates