-
Bug
-
Resolution: Unresolved
-
Undefined
-
rhel-10.0
-
None
-
swtpm-0.9.0-5.el10
-
No
-
Critical
-
rhel-sst-virtualization
-
ssg_virtualization
-
5
-
False
-
-
None
-
None
-
Pass
-
RegressionOnly
-
None
What were you trying to do that didn't work?
shared tpm storage on NFS was supported from bugzilla2130192 and it works well on rhel9. But on rhel10 it fails due to selinux issue. Bug RHEL-71068 has fixed some, but still need rules in swtpm-selinux for "scontext=system_u:system_r:swtpm_t:s0" ones.
What is the impact of this issue to you?
CNV also uses this feature, it will cause function regression failure if not fix.
Please provide the package NVR for which the bug is seen:
swtpm-0.9.0-4.el10.x86_64
selinux-policy-40.13.21-1.el10.noarch
libvirt-10.10.0-3.el10.x86_64
How reproducible is this bug?:
100%
Steps to reproduce
1. mount NFS to default vtpm path:
In nfs server /etc/exports:
/test/myswtpm *(rw,async,no_root_squash)
Test on client:
# mount NFSserver:/test/myswtpm /var/lib/libvirt/swtpm
2. define and start vm with default tpm state path
Expected results
vm should start successfully. Per selinux-policy fix, we may need:
allow swtpm_t nfs_t:dir { *** }; (check all rights required in permissive mode msgs below)
for this one "[ virt_use_nfs ]:True" I'm not sure swtpm-selinux need do it or not.
Actual results
# virsh start avocado-vt-vm1 error: Failed to start domain 'avocado-vt-vm1' error: internal error: Could not run '/usr/bin/swtpm_setup'. exitstatus: 1; Check error log '/var/log/swtpm/libvirt/qemu/avocado-vt-vm1-swtpm.log' for details. # cat /var/log/swtpm/libvirt/qemu/avocado-vt-vm1-swtpm.log /usr/bin/swtpm exit with status 256:
Although: there's no nfs related msg in audit log, all virtqemud related msgs are as below, only 1 tpm related.
# cat audit-fail.log |grep -iE 'tpm|avc|nfs' type=VIRT_RESOURCE msg=audit(1736763845.561:180): pid=2182 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtqemud_t:s0 msg='virt=kvm resrc=tpm-emulator reason=start vm="avocado-vt-vm1" uuid=4dc909ac-362a-4f3f-a99e-af7083bf6182 device="?" exe="/usr/sbin/virtqemud" hostname=? addr=? terminal=? res=success' UID="root" AUID="unset"
Additional info:
(1) "umount /var/lib/libvirt/swtpm"(use local tpm dir) can make it succeed.
# cat audit-success-umount.log |grep -iE 'tpm|nfs|avc' type=VIRT_RESOURCE msg=audit(1736763973.479:210): pid=2582 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtqemud_t:s0 msg='virt=kvm resrc=tpm-emulator reason=start vm="avocado-vt-vm1" uuid=4dc909ac-362a-4f3f-a99e-af7083bf6182 device="/run/libvirt/qemu/swtpm/1-avocado-vt-vm1-swtpm.sock" exe="/usr/sbin/virtqemud" hostname=? addr=? terminal=? res=success' UID="root" AUID="unset"
(2) "setenforce 0"(permissive mode) can also make it succeed.
# grep 'avc: denied' audit-success-permissive.log type=AVC msg=audit(1736764229.872:233): avc: denied { write } for pid=2895 comm="swtpm" name="tpm2" dev="0:54" ino=69940677 scontext=system_u:system_r:swtpm_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1736764229.872:233): avc: denied { add_name } for pid=2895 comm="swtpm" name="TMP2-00.permall" scontext=system_u:system_r:swtpm_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1736764229.872:233): avc: denied { create } for pid=2895 comm="swtpm" name="TMP2-00.permall" scontext=system_u:system_r:swtpm_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=file permissive=1 type=AVC msg=audit(1736764229.872:233): avc: denied { write open } for pid=2895 comm="swtpm" path="/var/lib/libvirt/swtpm/4dc909ac-362a-4f3f-a99e-af7083bf6182/tpm2/TMP2-00.permall" dev="0:54" ino=69940680 scontext=system_u:system_r:swtpm_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=file permissive=1 type=AVC msg=audit(1736764229.873:234): avc: denied { remove_name } for pid=2895 comm="swtpm" name="TMP2-00.permall" dev="0:54" ino=69940680 scontext=system_u:system_r:swtpm_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1736764229.873:234): avc: denied { rename } for pid=2895 comm="swtpm" name="TMP2-00.permall" dev="0:54" ino=69940680 scontext=system_u:system_r:swtpm_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=file permissive=1 type=AVC msg=audit(1736764229.873:235): avc: denied { read } for pid=2895 comm="swtpm" name="tpm2-00.permall" dev="0:54" ino=69940680 scontext=system_u:system_r:swtpm_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=file permissive=1 type=AVC msg=audit(1736764229.873:236): avc: denied { getattr } for pid=2895 comm="swtpm" path="/var/lib/libvirt/swtpm/4dc909ac-362a-4f3f-a99e-af7083bf6182/tpm2/tpm2-00.permall" dev="0:54" ino=69940680 scontext=system_u:system_r:swtpm_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=file permissive=1 type=AVC msg=audit(1736764229.874:237): avc: denied { lock } for pid=2895 comm="swtpm" path="/var/lib/libvirt/swtpm/4dc909ac-362a-4f3f-a99e-af7083bf6182/tpm2/.lock" dev="0:54" ino=69940681 scontext=system_u:system_r:swtpm_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=file permissive=1 type=AVC msg=audit(1736764229.876:238): avc: denied { unlink } for pid=2895 comm="swtpm" name="tpm2-00.permall" dev="0:54" ino=69940680 scontext=system_u:system_r:swtpm_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=file
- links to
-
RHBA-2024:143324
swtpm bug fix and enhancement update
