Bug 2331316
| Summary: | TPM-backed instance fails to start after it was stopped because of incorrect label of /run/libvirt/qemu/swtpm/49-instance-ID-swtpm.pid | ||
|---|---|---|---|
| Product: | Red Hat OpenStack | Reporter: | Alex Stupnikov <astupnik> |
| Component: | openstack-nova | Assignee: | OSP DFG:Compute <osp-dfg-compute> |
| Status: | CLOSED DUPLICATE | QA Contact: | OSP DFG:Compute <osp-dfg-compute> |
| Severity: | urgent | Docs Contact: | |
| Priority: | urgent | ||
| Version: | 17.1 (Wallaby) | CC: | bdobreli, dasmith, eglynn, jhakimra, kchamart, sbauza, sgordon, vromanso |
| Target Milestone: | --- | Keywords: | Reopened |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2024-12-11 13:15:10 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Fixed for z4 *** This bug has been marked as a duplicate of bug 2122656 *** Sorry, not a duplicate of bug 2122656. The /run/libvirt mounts used by containers already do have :z |
Description of problem: RHOSP 17.1.3 is affected a problem that may become an issue for a very wide audience: after TPM-backed instance is stopped, it is no longer possible to start it because of the following SELinux problem: type=AVC msg=audit(1733720908.058:231104): avc: denied { write } for pid=197216 comm="swtpm" path="/run/libvirt/qemu/swtpm/49-instance-ID-swtpm.pid" dev="tmpfs" ino=240819 scontext=system_u:system_r:svirt_t:s0:c363,c550 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0 In nova-compute logs I can see error: 2024-12-09 05:08:28.076+0000: 8516: error : qemuTPMEmulatorStart:997 : operation failed: swtpm died and reported: In libvirt logs there is an error: Successfully activated PCR banks sha256 among sha1,sha256,sha384,sha512. Successfully authored TPM state. Ending vTPM manufacturing @ Mon 09 Dec 2024 05:08:28 AM UTC Could not open UnixIO socket: Permission denied Version-Release number of selected component (if applicable): RHOSP 17.1.3 How reproducible: create TPM-backed instance, stop it and then try to start Actual results: instance startup is blocked by SELinux Expected results: instance is started smoothly Additional info: will be provided privately