1739994 – swtpm gets 'bin_t' context type after first installation, selinux preventing libvirt to execute it

Bug 1739994 - swtpm gets 'bin_t' context type after first installation, selinux preventing libvirt to execute it

Summary: swtpm gets 'bin_t' context type after first installation, selinux preventing ...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux Advanced Virtualization
Classification:	Red Hat
Component:	swtpm
Sub Component:
Version:	8.1
Hardware:	x86_64
OS:	Linux
Priority:	medium
Severity:	unspecified
Target Milestone:	rc
Target Release:	8.1
Assignee:	Marc-Andre Lureau
QA Contact:	Xin WANG
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-08-12 04:07 UTC by Yanqiu Zhang
Modified:	2020-11-14 08:30 UTC (History)
CC List:	8 users (show)
Fixed In Version:	0.1.0-1.20190425gitca85606.module+el8.1.0+3966+4a23dca1.1
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-11-06 07:18:29 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2019:3723	0	None	None	None	2019-11-06 07:18:50 UTC

Description Yanqiu Zhang 2019-08-12 04:07:06 UTC

(I can not find a 'swtpm' component in this rhel-av product, if 'libtpms' is not appropriate, pls help change it. Thanks.)

Description of problem:
swtpm gets 'bin_t' context type after first installation, selinux preventing libvirt to execute it

Version-Release number of selected component (if applicable):
libvirt-daemon-5.6.0-1.module+el8.1.0+3890+4d3d259c.x86_64
qemu-kvm-4.0.0-6.module+el8.1.0+3736+a2aefea3.x86_64
swtpm-0.1.0-0.20190425gitca85606.module+el8.1.0+3523+b348b848.1.x86_64
Swtpm-tools-0.1.0-0.20190425gitca85606.module+el8.1.0+3523+b348b848.1.x86_64
edk2-ovmf-20190308git89910a39dcfd-6.el8.noarch

How reproducible:
100%

Steps to Reproduce:
1. Do first installation of swtpm on a host
# getenforce
Enforcing
#yum install swtpm(+libtpms, swtpm-libs) swtpm-tools(+expect, tcl, tpm-tools)

2.Try to start guest with vtpm:
   <tpm model='tpm-crb'>
      <backend type='emulator' version='2.0'>
      </backend>
    </tpm>

# virsh start rhel8.1-ovmf
error: Failed to start domain rhel8.1-ovmf
error: internal error: Could not start 'swtpm'. exitstatus: 126, error: 2019-08-08 10:35:54.548+0000: 6768: debug : virFileClose:114 : Closed fd 40
2019-08-08 10:35:54.548+0000: 6768: debug : virFileClose:114 : Closed fd 42
2019-08-08 10:35:54.548+0000: 6768: debug : virFileClose:114 : Closed fd 37
2019-08-08 10:35:54.548+0000: 6768: debug : virExec:756 : Setting child security label to system_u:system_r:svirt_t:s0:c245,c1022
2019-08-08 10:35:54.548+0000: 6768: debug : virExecCommon:413 : Setting child uid:gid to 59:59 with caps 0
libvirt:  error : cannot execute binary /usr/bin/swtpm: Permission denied

# ausearch -m AVC -ts recent
----
time->Thu Aug  8 06:35:54 2019
type=PROCTITLE msg=audit(1565260554.547:214): proctitle=2F7573722F7362696E2F6C69627669727464002D2D74696D656F757400313230
type=SYSCALL msg=audit(1565260554.547:214): arch=c000003e syscall=59 success=no exit=-13 a0=7f78340387d0 a1=7f783401e640 a2=7ffc48294078 a3=8 items=0 ppid=5350 pid=6768 auid=4294967295 uid=59 gid=59 euid=59 suid=59 fsuid=59 egid=59 sgid=59 fsgid=59 tty=(none) ses=4294967295 comm="libvirtd" exe="/usr/sbin/libvirtd" subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1565260554.547:214): avc:  denied  { entrypoint } for  pid=6768 comm="libvirtd" path="/usr/bin/swtpm" dev="dm-0" ino=633024 scontext=system_u:system_r:svirt_t:s0:c245,c1022 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=0

# ls -lZ /usr/bin/swtpm 
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 45504 Jun 27 12:22 /usr/bin/swtpm


Actual results:
As in step2.

Expected results:
Maybe swtpm should be labelled correctly as 'swtpm_exec_t' at first installation.

Additional info:
1. Restorecon or reinstall swtpm will make label change to be 'swtpm_exec_t', then it can be started.
# restorecon /usr/bin/swtpm (or remove swtpm* and reinstall them)
#   ls -lZ /usr/bin/swtpm
-rwxr-xr-x. 1 root root system_u:object_r:swtpm_exec_t:s0 45504 Jun 27 12:22 /usr/bin/swtpm
# virsh start avocado-vt-vm1
Domain avocado-vt-vm1 started

Comment 1 Marc-Andre Lureau 2019-08-12 09:59:08 UTC

I can't reproduce, the file is correctly labelled. Is it only me?

Comment 2 Yanqiu Zhang 2019-08-12 10:35:44 UTC

(In reply to Marc-Andre Lureau from comment #1)
> I can't reproduce, the file is correctly labelled. Is it only me?
Hi,
Have you installed swtpm before? My colleagues and I tried 4 hosts that never installed it before, all reproduces.
A latest try:
   73  yum install swtpm
   74   ls -lZ /usr/bin/swtpm
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 45504 Jun 27 12:22 /usr/bin/swtpm

Comment 3 Marc-Andre Lureau 2019-08-13 14:57:37 UTC

Ok, with a fresh rhel8, I could reproduce.

Indeed, the problem is that selinux module isn't installed by the time /usr/bin/swtpm is written.

Either we split the package and depend on -selinux, or we add restorecon /usr/bin/swtpm in %post. I would opt for the second, and the fedora maintainer did the same.

I am trying to get a test build before I claim this is solved.

Comment 4 Marc-Andre Lureau 2019-09-04 11:22:39 UTC

0.1.0-1.20190425gitca85606.module+el8.1.0+3966+4a23dca1.1 is already part of virt:8.1, I checked it works on first install.

Please verify, thanks

Comment 5 Marc-Andre Lureau 2019-09-04 12:28:36 UTC

Danilo, was the bug supposed to move to ON_QA when integrated in virt:8.1 module?

Comment 6 Danilo de Paula 2019-09-04 13:34:34 UTC

we need QA_ACK in order to add this to the errata.
But I see there's no QA assigned to this.

Who's triaging AV bz Ademar?

Comment 7 Danilo de Paula 2019-09-04 13:37:18 UTC

@Marc-Andre: it goes to ON_QA automagically when we add it to the errata.
But we can't add ON_QA. They need to be MODIFIED (means it's built) or VERIFIED.

Comment 9 John Ferlan 2019-09-04 14:20:37 UTC

Let's try yanqzhan for the qa_ack adjustment.

Comment 10 Xin WANG 2019-09-25 03:22:13 UTC

Verify this bug with:
swtpm-0.1.0-1.20190425gitca85606.module+el8.1.0+3966+4a23dca1.1.x86_64
Swtpm-tools-0.1.0-1.20190425gitca85606.module+el8.1.0+3966+4a23dca1.1.x86_64
Edk2-ovmf-20190308git89910a39dcfd-6.el8
qemu-kvm-4.1.0-10.module+el8.1.0+4234+33aa4f57.x86_64
libvirt-daemon-5.6.0-6.virtcov.el8.x86_64
selinux-policy-3.14.3-20.el8.noarch

Steps to verify:
Freshly install swtpm, swtpm-tools, etk2-ovmf
# yum install swtpm
# yum install swtpm-tools
# yum install etk2-ovmf
# virsh dumpxml rhel8 | grep tpm
    <tpm model='tpm-crb'>
      <backend type='emulator' version='2.0'/>
      <alias name='tpm0'/>
    </tpm>
[root@server ~]# getenforce
Enforcing
[root@server ~]# virsh start rhel8
Domain rhel8 started
[root@server ~]# ausearch -m AVC -ts recent
<no matches>
[root@server ~]# ls -lZ /usr/bin/swtpm
-rwxr-xr-x. 1 root root system_u:object_r:swtpm_exec_t:s0 45632 Aug 15 13:07 /usr/bin/swtpm

Since the test result is as expected, mark this bug as verified

Comment 12 errata-xmlrpc 2019-11-06 07:18:29 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:3723

Note You need to log in before you can comment on or make changes to this bug.