Bugzilla – Bug 1226398
selinux - swtpm - virt-manager can no longer start vm
Last modified: 2024-07-18 13:37:44 UTC
Recently, I have been unable to start vm's. I get the following error in virt-manager: Error starting domain: operation failed: swtpm died and reported: swtpm: Could not open logfile for writing: Permission denied I suspected it was a change to selinux, or perhaps some other recent update. The avc's show: type=AVC msg=audit(1718509582.300:374): avc: denied { relabelfrom } for pid=1606 comm="rpc-virtqemud" name=".lock" dev="nvme0n1p3" ino=12780 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:virt_var_lib_t:s0 tclass=file permissive=1 type=AVC msg=audit(1718509582.300:375): avc: denied { relabelto } for pid=1606 comm="rpc-virtqemud" name=".lock" dev="nvme0n1p3" ino=12780 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:virt_var_lib_t:s0 tclass=file permissive=1 I don't think I've made any changes that would have caused this issue.
Does this occur on a fresh RC2 install or a pre RC2 installation?
Fresh RC2, but it worked immediately after installing RC2 and stopped working several snapshots ago.
sudo setenforce 0 Lets me start it.
Sorry, last update for now. I tried switching from Emulated to Passthrough TPM with /dev/tpmrm0, and it works. So, more specifically, I suppose emulated TPMs are the issue.
will have a look, could you please provide the information here? https://en.opensuse.org/openSUSE:Bugreport_SELinux thanks :)
okay nevermind we dont need the additional info, i think i found the cause: swtpm ships a swtpm-selinux module, which relies on the libvirt interfaces from the main policy. the libvirt interfaces have been rewritten in the last months in the main policy. it seems swtpm upstream is drafting a new release with a rewritten swtpm-selinux module: https://github.com/stefanberger/swtpm/pull/858/files this will include the fix: https://github.com/stefanberger/swtpm/blob/master/src/selinux/swtpm_libvirt.te#L57 @Marcus, could you have an eye on the new swtpm release and version bump then? I think that should fix the issue @Benjamin: if it is urgent, you can allow these rules with audit2allow -M on your local system as upstream thinks they are fine to allow. otherwise you can wait for the new swtpm-selinux release
@Cathy Thanks for the quick investigation. While messing with my selinux rules, I noticed that adding a custom module with audit2allow did not fix the problem. Well, since I'm running Aeon, and since tpm should play an important role in it later, I think the ideal setup in Aeon should be to use passthrough. I honestly forgot I had turned off tpm in the bios due to earlier incompatibilities, or else I would have used it for my VM.
Hello, I successfully tested the new selinux modules "swtpm", "swtpm_svirt" and "swtpm_libvirt": https://github.com/stefanberger/swtpm/tree/master/src/selinux They were released at 18th june with release 0.9.0 with a small change 15th july. I compiled them and imported them on an openSUSE Tumbleweed system. There are no more denied entries concerning swtpm