stable

swtpm-0.8.1-7.fc40

FEDORA-2024-f53eab6892 created by stefanberger 2 months ago for Fedora 40

Fix SELinux policy for swtpm due to changes in targeted SELinux policy

How to install

Updates may require up to 24 hours to propagate to mirrors. If the following command doesn't work, please retry later:

sudo dnf upgrade --refresh --advisory=FEDORA-2024-f53eab6892

This update has been submitted for testing by stefanberger.

2 months ago

This update's test gating status has been changed to 'waiting'.

2 months ago

This update's test gating status has been changed to 'waiting'.

2 months ago

This update has been pushed to testing.

2 months ago

This update's test gating status has been changed to 'passed'.

2 months ago
BZ#2271074 SELinux is preventing swtpm from 'open' accesses on the arquivo /var/log/swtpm/libvirt/qemu/fedora-swtpm.log.
BZ#2277041 SELinux is preventing swtpm from 'open' accesses on the file /var/log/swtpm/libvirt/qemu/win10-swtpm.log.
BZ#2278123 libvirt virtual machines cannot be created with SWTPM when SELinux is enabled: SELinux denials logged. No issues without SWTPM. Multiple user reports
User Icon geraldosimiao commented & provided feedback 2 months ago
karma

Excellent, finally I managed to create new VMs in virt-manager with tpm2. Fixed the bug for my F39 -> F40 KDE upgraded host.
I'm the reporter from bug#2271074

Operating System: Fedora Linux 40
KDE Plasma Version: 6.0.4
KDE Frameworks Version: 6.1.0
Qt Version: 6.7.0
Kernel Version: 6.8.8-300.fc40.x86_64 (64-bit)
Graphics Platform: Wayland
Processors: 8 × Intel® Core™ i7-3632QM CPU @ 2.20GHz
Memory: 15.4 GiB of RAM
Graphics Processor: Mesa Intel® HD Graphics 4000

libvirt-client-10.1.0-1.fc40.x86_64
libvirt-daemon-10.1.0-1.fc40.x86_64
libvirt-glib-5.0.0-3.fc40.x86_64
libvirt-libs-10.1.0-1.fc40.x86_64
virt-install-4.1.0-5.fc40.noarch
virt-manager-4.1.0-5.fc40.noarch
virt-manager-common-4.1.0-5.fc40.noarch

BZ#2271074 SELinux is preventing swtpm from 'open' accesses on the arquivo /var/log/swtpm/libvirt/qemu/fedora-swtpm.log.
BZ#2278123 libvirt virtual machines cannot be created with SWTPM when SELinux is enabled: SELinux denials logged. No issues without SWTPM. Multiple user reports
User Icon bug2k24 commented & provided feedback 2 months ago

This has not resolved my issue starting VMs that are using tpm. Logging shows the following lines:

May 02 09:20:04 Precision7760 SetroubleshootPrivileged.py[12158]: failed to retrieve rpm info for path '/var/lib/selinux/targeted/active/modules/200/swtpm': May 02 09:20:04 Precision7760 setroubleshoot[12147]: SELinux is preventing swtpm from write access on the file /run/libvirt/qemu/swtpm/3-MyVM-swtpm.pid. For complete SELinux messages run: sealert -l 70415a9c-e043-41a0-a61a-58775c389c3b May 02 09:20:04 Precision7760 setroubleshoot[12147]: SELinux is preventing swtpm from write access on the file /run/libvirt/qemu/swtpm/3-MyVM-swtpm.pid.

                                                 *****  Plugin catchall (100. confidence) suggests   **************************

                                                 If you believe that swtpm should be allowed write access on the 3-MyVM-swtpm.pid file by default.
                                                 Then you should report this as a bug.
                                                 You can generate a local policy module to allow this access.
                                                 Do
                                                 allow this access for now by executing:
                                                 # ausearch -c 'swtpm' --raw | audit2allow -M my-swtpm
                                                 # semodule -X 300 -i my-swtpm.pp

May 02 09:20:04 Precision7760 setroubleshoot[12147]: SELinux is preventing swtpm from write access on the directory swtpm. For complete SELinux messages run: sealert -l 252722f5-c02c-4684-ad9b-c670f752766c May 02 09:20:04 Precision7760 setroubleshoot[12147]: SELinux is preventing swtpm from write access on the directory swtpm.

                                                 *****  Plugin catchall (100. confidence) suggests   **************************

                                                 If you believe that swtpm should be allowed write access on the swtpm directory by default.
                                                 Then you should report this as a bug.
                                                 You can generate a local policy module to allow this access.
                                                 Do
                                                 allow this access for now by executing:
                                                 # ausearch -c 'swtpm' --raw | audit2allow -M my-swtpm
                                                 # semodule -X 300 -i my-swtpm.pp

Executing the lines as suggested in the log does not resolve the issue. If I revert back to the following versions the vm will start. selinux-policy-40.13-1.fc40.noarch selinux-policy-targeted-40.13-1.fc40.noarch

User Icon py0xc3 commented & provided feedback 2 months ago
karma

Two further users at ask.fedora report that this update fixes BZ#2278123

BZ#2278123 libvirt virtual machines cannot be created with SWTPM when SELinux is enabled: SELinux denials logged. No issues without SWTPM. Multiple user reports

This update can be pushed to stable now if the maintainer wishes

2 months ago

This update has been submitted for stable by stefanberger.

2 months ago
User Icon cmellwig commented & provided feedback 2 months ago
karma

Works for newly created and existing VMs. No issues noticed

BZ#2277041 SELinux is preventing swtpm from 'open' accesses on the file /var/log/swtpm/libvirt/qemu/win10-swtpm.log.
BZ#2278123 libvirt virtual machines cannot be created with SWTPM when SELinux is enabled: SELinux denials logged. No issues without SWTPM. Multiple user reports

This update has been pushed to stable.

2 months ago
User Icon grumpey commented & provided feedback 2 months ago
karma

After updating to swtpm-0.8.1.7. Windows 11 VM on gnome boxes failed to start, observed the following avc denials:

May 04 09:16:35 grumpey0 audit[3411]: AVC avc: denied { create } for pid=3411 comm="swtpm" name="1-win11-2-swtpm.sock" scontext=unconfined_u:unconfined_r:svirt_t:s0:c31,c772 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=sock_file permissive=0 May 04 09:16:35 grumpey0 audit[3420]: AVC avc: denied { create } for pid=3420 comm="swtpm" name="2-win11-2-swtpm.sock" scontext=unconfined_u:unconfined_r:svirt_t:s0:c256,c313 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=sock_file permissive=0 May 04 09:16:51 grumpey0 audit[3522]: AVC avc: denied { create } for pid=3522 comm="swtpm" name="3-win11-2-swtpm.sock" scontext=unconfined_u:unconfined_r:svirt_t:s0:c477,c1002 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=sock_file permissive=0 May 04 09:18:14 grumpey0 audit[3679]: AVC avc: denied { create } for pid=3679 comm="swtpm" name="4-win11-2-swtpm.sock" scontext=unconfined_u:unconfined_r:svirt_t:s0:c521,c560 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=sock_file permissive=0 May 04 09:20:55 grumpey0 audit[4478]: AVC avc: denied { create } for pid=4478 comm="swtpm" name="5-win11-2-swtpm.sock" scontext=unconfined_u:unconfined_r:svirt_t:s0:c423,c863 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=sock_file permissive=0

After installing swtpm-0.8.1.8, I was able to start the VM and I am not currently observing any denials.


Please login to add feedback.

Metadata
Type
bugfix
Karma
2
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-3
Stable by Karma
3
Stable by Time
14 days
Dates
submitted
2 months ago
in testing
2 months ago
in stable
2 months ago
approved
2 months ago
BZ#2271074 SELinux is preventing swtpm from 'open' accesses on the arquivo /var/log/swtpm/libvirt/qemu/fedora-swtpm.log.
0
2
BZ#2277041 SELinux is preventing swtpm from 'open' accesses on the file /var/log/swtpm/libvirt/qemu/win10-swtpm.log.
0
2
BZ#2278123 libvirt virtual machines cannot be created with SWTPM when SELinux is enabled: SELinux denials logged. No issues without SWTPM. Multiple user reports
0
4

Automated Test Results