1769196 – Security context of swtpm.log isn't restored after destroy vm if restart libvirtd while vm running

Bug 1769196 - Security context of swtpm.log isn't restored after destroy vm if restart libvirtd while vm running

Summary: Security context of swtpm.log isn't restored after destroy vm if restart libv...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux Advanced Virtualization
Classification:	Red Hat
Component:	libvirt
Sub Component:
Version:	8.1
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	8.0
Assignee:	Michal Privoznik
QA Contact:	Yanqiu Zhang
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1897025
TreeView+	depends on / blocked

Reported:	2019-11-06 06:14 UTC by Yanqiu Zhang
Modified:	2021-11-16 07:58 UTC (History)
CC List:	11 users (show)
Fixed In Version:	libvirt-7.3.0-1.el8
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-11-16 07:49:54 UTC
Type:	Bug
Target Upstream Version:	7.2.0
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
libvirtd_qemu_logs (632.20 KB, application/gzip) 2019-11-06 06:28 UTC, Yanqiu Zhang	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2021:4684	0	None	None	None	2021-11-16 07:50:58 UTC

Description Yanqiu Zhang 2019-11-06 06:14:39 UTC

Description of problem:
Security context of swtpm.log isn't restored after destroy vm if restart libvirtd while vm running. This only happens when remember_owner = 1.

Version-Release number of selected component (if applicable):
libvirt-5.6.0-7.module+el8.1.1+4483+2f45aaa2.x86_64
qemu-kvm-4.1.0-13.module+el8.1.0+4313+ef76ec61.x86_64
selinux-policy-3.14.3-18.el8.noarch

How reproducible:
100%

Steps to Reproduce:
1.Start a guest with vtpm device, check swtpm process and log file:
# virsh start rhel8.1-ovmf
Domain rhel8.1-ovmf started

  <tpm model='tpm-crb'>
      <backend type='emulator' version='2.0'/>
    </tpm>

# ps aux|grep swtpm
tss        535  0.1  0.0  20976  2880 ?        Ss   08:55   0:00 /usr/bin/swtpm socket --daemon --ctrl type=unixio,path=/var/run/libvirt/qemu/swtpm/19-rhel8.1-ovmf-swtpm.sock,mode=0600 --tpmstate dir=/var/lib/libvirt/swtpm/0572326a-499d-407e-8d4a-2a8e974c9496/tpm2,mode=0600 --log file=/var/log/swtpm/libvirt/qemu/rhel8.1-ovmf-swtpm.log --tpm2 --pid file=/var/run/libvirt/qemu/swtpm/19-rhel8.1-ovmf-swtpm.pid

# ll -Z /var/log/swtpm/libvirt/qemu/rhel8.1-ovmf-swtpm.log
-rw-r--r--. 1 tss tss system_u:object_r:svirt_image_t:s0:c85,c505 17705 Aug 21 07:56 /var/log/swtpm/libvirt/qemu/rhel8.1-ovmf-swtpm.log

# getfattr -m trusted.libvirt.security -d /var/log/swtpm/libvirt/qemu/rhel8.1-ovmf-swtpm.log
getfattr: Removing leading '/' from absolute path names
# file: var/log/swtpm/libvirt/qemu/rhel8.1-ovmf-swtpm.log
trusted.libvirt.security.ref_selinux="1"
trusted.libvirt.security.selinux="system_u:object_r:var_log_t:s0"
trusted.libvirt.security.timestamp_selinux="1572842526"

2. Restart libvirtd and check swtpm again:
tss        535  0.0  0.0  21252  2880 ?        Ss   08:55   0:00 /usr/bin/swtpm socket --daemon --ctrl type=unixio,path=/var/run/libvirt/qemu/swtpm/19-rhel8.1-ovmf-swtpm.sock,mode=0600 --tpmstate dir=/var/lib/libvirt/swtpm/0572326a-499d-407e-8d4a-2a8e974c9496/tpm2,mode=0600 --log file=/var/log/swtpm/libvirt/qemu/rhel8.1-ovmf-swtpm.log --tpm2 --pid file=/var/run/libvirt/qemu/swtpm/19-rhel8.1-ovmf-swtpm.pid

# ll -Z /var/log/swtpm/libvirt/qemu/rhel8.1-ovmf-swtpm.log
-rw-r--r--. 1 tss tss system_u:object_r:svirt_image_t:s0:c85,c505 17705 Aug 21 07:56 /var/log/swtpm/libvirt/qemu/rhel8.1-ovmf-swtpm.log

#  getfattr -m trusted.libvirt.security -d /var/log/swtpm/libvirt/qemu/rhel8.1-ovmf-swtpm.log
getfattr: Removing leading '/' from absolute path names
# file: var/log/swtpm/libvirt/qemu/rhel8.1-ovmf-swtpm.log
trusted.libvirt.security.ref_selinux="1"
trusted.libvirt.security.selinux="system_u:object_r:var_log_t:s0"
trusted.libvirt.security.timestamp_selinux="1572842526"

3. Destroy vm and check swtpm again:
# virsh destroy rhel8.1-ovmf
Domain rhel8.1-ovmf destroyed

# ps aux|grep swtpm
(nothing)

# ll -Z /var/log/swtpm/libvirt/qemu/rhel8.1-ovmf-swtpm.log
-rw-r--r--. 1 tss tss system_u:object_r:svirt_image_t:s0:c85,c505 17705 Aug 21 07:56 /var/log/swtpm/libvirt/qemu/rhel8.1-ovmf-swtpm.log

#  getfattr -m trusted.libvirt.security -d /var/log/swtpm/libvirt/qemu/rhel8.1-ovmf-swtpm.log
getfattr: Removing leading '/' from absolute path names
# file: var/log/swtpm/libvirt/qemu/rhel8.1-ovmf-swtpm.log
trusted.libvirt.security.ref_selinux="1"
trusted.libvirt.security.selinux="system_u:object_r:var_log_t:s0"
trusted.libvirt.security.timestamp_selinux="1572842526"

4. Try to start the vm:
# virsh start rhel8.1-ovmf
error: Failed to start domain rhel8.1-ovmf
error: internal error: child reported (status=125): Requested operation is not valid: Setting different SELinux label on /var/log/swtpm/libvirt/qemu/rhel8.1-ovmf-swtpm.log which is already in use

#  getfattr -m trusted.libvirt.security -d /var/log/swtpm/libvirt/qemu/rhel8.1-ovmf-swtpm.log
(nothing)

# ll -Z /var/log/swtpm/libvirt/qemu/rhel8.1-ovmf-swtpm.log
-rw-r--r--. 1 tss tss system_u:object_r:var_log_t:s0 17705 Aug 21 07:56 /var/log/swtpm/libvirt/qemu/rhel8.1-ovmf-swtpm.log

# virsh start rhel8.1-ovmf
Domain rhel8.1-ovmf started


Actual results:
1. As in step 3, security context of swtpm.log isn't restore after destroy vm if restart libvirtd while vm running. And info stored in xattr isn't cleared.
2. In step4, vm next start will fail due to selinux label error.


Expected results:
Security context of swtpm.log should restore to system_u:object_r:var_log_t:s0 after vm destroy.

Additional info:

Comment 1 Yanqiu Zhang 2019-11-06 06:28:33 UTC

Created attachment 1633189 [details]
libvirtd_qemu_logs

Comment 3 Michal Privoznik 2021-03-01 17:18:12 UTC

Patch proposed upstream:

https://listman.redhat.com/archives/libvir-list/2021-March/msg00030.html

Comment 4 Michal Privoznik 2021-03-02 08:52:49 UTC

Fixed upstream as:

25ebb45a81 qemu_tpm: Generate log file path among with storage path
f9cd29a2e4 qemu_tpm: Move logfile path generation into a separate function

v7.1.0-31-g25ebb45a81

Comment 10 Yanqiu Zhang 2021-06-03 04:07:31 UTC

Verified on :
libvirt-daemon-7.4.0-1.module+el8.5.0+11218+83343022.x86_64
qemu-kvm-6.0.0-17.module+el8.5.0+11173+c9fce0bb.x86_64


Steps:
# virsh start vm-uefi 
Domain 'vm-uefi' started

    <tpm model='tpm-crb'>
      <backend type='emulator' version='2.0'/>
    </tpm>

# ps aux|grep swtpm
tss         2571  0.1  0.0  23568  3504 ?        Ss   23:31   0:00 /usr/bin/swtpm socket --daemon --ctrl type=unixio,path=/run/libvirt/qemu/swtpm/1-vm-uefi-swtpm.sock,mode=0600 --tpmstate dir=/var/lib/libvirt/swtpm/bc038221-2b87-4248-b8f2-9f04d29e3285/tpm2,mode=0600 --log file=/var/log/swtpm/libvirt/qemu/vm-uefi-swtpm.log --tpm2 --pid file=/run/libvirt/qemu/swtpm/1-vm-uefi-swtpm.pid

# ll -Z /var/log/swtpm/libvirt/qemu/vm-uefi-swtpm.log 
-rw-r--r--. 1 tss tss system_u:object_r:svirt_image_t:s0:c357,c483 3379 Jun  2 23:25 /var/log/swtpm/libvirt/qemu/vm-uefi-swtpm.log

# getfattr -m trusted.libvirt.security -d /var/log/swtpm/libvirt/qemu/vm-uefi-swtpm.log 
getfattr: Removing leading '/' from absolute path names
# file: var/log/swtpm/libvirt/qemu/vm-uefi-swtpm.log
trusted.libvirt.security.ref_selinux="1"
trusted.libvirt.security.selinux="system_u:object_r:virt_log_t:s0"
trusted.libvirt.security.timestamp_selinux="1622676624"

#systemctl restart libvirtd

No change for above 3 checkpoints.

# virsh destroy vm-uefi
Domain 'vm-uefi' destroyed

# ps aux|grep swtpm
(nothing)

# ll -Z /var/log/swtpm/libvirt/qemu/vm-uefi-swtpm.log 
-rw-r--r--. 1 tss tss system_u:object_r:virt_log_t:s0 3379 Jun  2 23:25 /var/log/swtpm/libvirt/qemu/vm-uefi-swtpm.log

# getfattr -m trusted.libvirt.security -d /var/log/swtpm/libvirt/qemu/vm-uefi-swtpm.log 
(nothing)

# virsh start vm-uefi 
Domain 'vm-uefi' started

Login into guest, tpm device works well.

Comment 12 errata-xmlrpc 2021-11-16 07:49:54 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (virt:av bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:4684

Note You need to log in before you can comment on or make changes to this bug.