Bug 1739994

Summary: swtpm gets 'bin_t' context type after first installation, selinux preventing libvirt to execute it
Product: Red Hat Enterprise Linux Advanced Virtualization Reporter: Yanqiu Zhang <yanqzhan>
Component: swtpmAssignee: Marc-Andre Lureau <marcandre.lureau>
Status: CLOSED ERRATA QA Contact: Xin WANG <xwan>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 8.1CC: areis, chhu, ddepaula, dyuan, marcandre.lureau, xwan, yafu, yanqzhan
Target Milestone: rc   
Target Release: 8.1   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: 0.1.0-1.20190425gitca85606.module+el8.1.0+3966+4a23dca1.1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-11-06 07:18:29 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Yanqiu Zhang 2019-08-12 04:07:06 UTC 
(I can not find a 'swtpm' component in this rhel-av product, if 'libtpms' is not appropriate, pls help change it. Thanks.)

Description of problem:
swtpm gets 'bin_t' context type after first installation, selinux preventing libvirt to execute it

Version-Release number of selected component (if applicable):
libvirt-daemon-5.6.0-1.module+el8.1.0+3890+4d3d259c.x86_64
qemu-kvm-4.0.0-6.module+el8.1.0+3736+a2aefea3.x86_64
swtpm-0.1.0-0.20190425gitca85606.module+el8.1.0+3523+b348b848.1.x86_64
Swtpm-tools-0.1.0-0.20190425gitca85606.module+el8.1.0+3523+b348b848.1.x86_64
edk2-ovmf-20190308git89910a39dcfd-6.el8.noarch

How reproducible:
100%

Steps to Reproduce:
1. Do first installation of swtpm on a host
# getenforce
Enforcing
#yum install swtpm(+libtpms, swtpm-libs) swtpm-tools(+expect, tcl, tpm-tools)

2.Try to start guest with vtpm:
   <tpm model='tpm-crb'>
      <backend type='emulator' version='2.0'>
      </backend>
    </tpm>

# virsh start rhel8.1-ovmf
error: Failed to start domain rhel8.1-ovmf
error: internal error: Could not start 'swtpm'. exitstatus: 126, error: 2019-08-08 10:35:54.548+0000: 6768: debug : virFileClose:114 : Closed fd 40
2019-08-08 10:35:54.548+0000: 6768: debug : virFileClose:114 : Closed fd 42
2019-08-08 10:35:54.548+0000: 6768: debug : virFileClose:114 : Closed fd 37
2019-08-08 10:35:54.548+0000: 6768: debug : virExec:756 : Setting child security label to system_u:system_r:svirt_t:s0:c245,c1022
2019-08-08 10:35:54.548+0000: 6768: debug : virExecCommon:413 : Setting child uid:gid to 59:59 with caps 0
libvirt:  error : cannot execute binary /usr/bin/swtpm: Permission denied

# ausearch -m AVC -ts recent
----
time->Thu Aug  8 06:35:54 2019
type=PROCTITLE msg=audit(1565260554.547:214): proctitle=2F7573722F7362696E2F6C69627669727464002D2D74696D656F757400313230
type=SYSCALL msg=audit(1565260554.547:214): arch=c000003e syscall=59 success=no exit=-13 a0=7f78340387d0 a1=7f783401e640 a2=7ffc48294078 a3=8 items=0 ppid=5350 pid=6768 auid=4294967295 uid=59 gid=59 euid=59 suid=59 fsuid=59 egid=59 sgid=59 fsgid=59 tty=(none) ses=4294967295 comm="libvirtd" exe="/usr/sbin/libvirtd" subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1565260554.547:214): avc:  denied  { entrypoint } for  pid=6768 comm="libvirtd" path="/usr/bin/swtpm" dev="dm-0" ino=633024 scontext=system_u:system_r:svirt_t:s0:c245,c1022 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=0

# ls -lZ /usr/bin/swtpm 
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 45504 Jun 27 12:22 /usr/bin/swtpm


Actual results:
As in step2.

Expected results:
Maybe swtpm should be labelled correctly as 'swtpm_exec_t' at first installation.

Additional info:
1. Restorecon or reinstall swtpm will make label change to be 'swtpm_exec_t', then it can be started.
# restorecon /usr/bin/swtpm (or remove swtpm* and reinstall them)
#   ls -lZ /usr/bin/swtpm
-rwxr-xr-x. 1 root root system_u:object_r:swtpm_exec_t:s0 45504 Jun 27 12:22 /usr/bin/swtpm
# virsh start avocado-vt-vm1
Domain avocado-vt-vm1 started
Comment 1 Marc-Andre Lureau 2019-08-12 09:59:08 UTC 
I can't reproduce, the file is correctly labelled. Is it only me?
Comment 2 Yanqiu Zhang 2019-08-12 10:35:44 UTC 
(In reply to Marc-Andre Lureau from comment #1)
> I can't reproduce, the file is correctly labelled. Is it only me?
Hi,
Have you installed swtpm before? My colleagues and I tried 4 hosts that never installed it before, all reproduces.
A latest try:
   73  yum install swtpm
   74   ls -lZ /usr/bin/swtpm
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 45504 Jun 27 12:22 /usr/bin/swtpm
Comment 3 Marc-Andre Lureau 2019-08-13 14:57:37 UTC 
Ok, with a fresh rhel8, I could reproduce.

Indeed, the problem is that selinux module isn't installed by the time /usr/bin/swtpm is written.

Either we split the package and depend on -selinux, or we add restorecon /usr/bin/swtpm in %post. I would opt for the second, and the fedora maintainer did the same.

I am trying to get a test build before I claim this is solved.
Comment 4 Marc-Andre Lureau 2019-09-04 11:22:39 UTC 
0.1.0-1.20190425gitca85606.module+el8.1.0+3966+4a23dca1.1 is already part of virt:8.1, I checked it works on first install.

Please verify, thanks
Comment 5 Marc-Andre Lureau 2019-09-04 12:28:36 UTC 
Danilo, was the bug supposed to move to ON_QA when integrated in virt:8.1 module?
Comment 6 Danilo de Paula 2019-09-04 13:34:34 UTC 
we need QA_ACK in order to add this to the errata.
But I see there's no QA assigned to this.

Who's triaging AV bz Ademar?
Comment 7 Danilo de Paula 2019-09-04 13:37:18 UTC 
@Marc-Andre: it goes to ON_QA automagically when we add it to the errata.
But we can't add ON_QA. They need to be MODIFIED (means it's built) or VERIFIED.
Comment 9 John Ferlan 2019-09-04 14:20:37 UTC 
Let's try yanqzhan for the qa_ack adjustment.
Comment 10 Xin WANG 2019-09-25 03:22:13 UTC 
Verify this bug with:
swtpm-0.1.0-1.20190425gitca85606.module+el8.1.0+3966+4a23dca1.1.x86_64
Swtpm-tools-0.1.0-1.20190425gitca85606.module+el8.1.0+3966+4a23dca1.1.x86_64
Edk2-ovmf-20190308git89910a39dcfd-6.el8
qemu-kvm-4.1.0-10.module+el8.1.0+4234+33aa4f57.x86_64
libvirt-daemon-5.6.0-6.virtcov.el8.x86_64
selinux-policy-3.14.3-20.el8.noarch

Steps to verify:
Freshly install swtpm, swtpm-tools, etk2-ovmf
# yum install swtpm
# yum install swtpm-tools
# yum install etk2-ovmf
# virsh dumpxml rhel8 | grep tpm
    <tpm model='tpm-crb'>
      <backend type='emulator' version='2.0'/>
      <alias name='tpm0'/>
    </tpm>
[root@server ~]# getenforce
Enforcing
[root@server ~]# virsh start rhel8
Domain rhel8 started
[root@server ~]# ausearch -m AVC -ts recent
<no matches>
[root@server ~]# ls -lZ /usr/bin/swtpm
-rwxr-xr-x. 1 root root system_u:object_r:swtpm_exec_t:s0 45632 Aug 15 13:07 /usr/bin/swtpm

Since the test result is as expected, mark this bug as verified
Comment 12 errata-xmlrpc 2019-11-06 07:18:29 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:3723