Description of problem: Security context of swtpm.log isn't restored after destroy vm if restart libvirtd while vm running. This only happens when remember_owner = 1. Version-Release number of selected component (if applicable): libvirt-5.6.0-7.module+el8.1.1+4483+2f45aaa2.x86_64 qemu-kvm-4.1.0-13.module+el8.1.0+4313+ef76ec61.x86_64 selinux-policy-3.14.3-18.el8.noarch How reproducible: 100% Steps to Reproduce: 1.Start a guest with vtpm device, check swtpm process and log file: # virsh start rhel8.1-ovmf Domain rhel8.1-ovmf started <tpm model='tpm-crb'> <backend type='emulator' version='2.0'/> </tpm> # ps aux|grep swtpm tss 535 0.1 0.0 20976 2880 ? Ss 08:55 0:00 /usr/bin/swtpm socket --daemon --ctrl type=unixio,path=/var/run/libvirt/qemu/swtpm/19-rhel8.1-ovmf-swtpm.sock,mode=0600 --tpmstate dir=/var/lib/libvirt/swtpm/0572326a-499d-407e-8d4a-2a8e974c9496/tpm2,mode=0600 --log file=/var/log/swtpm/libvirt/qemu/rhel8.1-ovmf-swtpm.log --tpm2 --pid file=/var/run/libvirt/qemu/swtpm/19-rhel8.1-ovmf-swtpm.pid # ll -Z /var/log/swtpm/libvirt/qemu/rhel8.1-ovmf-swtpm.log -rw-r--r--. 1 tss tss system_u:object_r:svirt_image_t:s0:c85,c505 17705 Aug 21 07:56 /var/log/swtpm/libvirt/qemu/rhel8.1-ovmf-swtpm.log # getfattr -m trusted.libvirt.security -d /var/log/swtpm/libvirt/qemu/rhel8.1-ovmf-swtpm.log getfattr: Removing leading '/' from absolute path names # file: var/log/swtpm/libvirt/qemu/rhel8.1-ovmf-swtpm.log trusted.libvirt.security.ref_selinux="1" trusted.libvirt.security.selinux="system_u:object_r:var_log_t:s0" trusted.libvirt.security.timestamp_selinux="1572842526" 2. Restart libvirtd and check swtpm again: tss 535 0.0 0.0 21252 2880 ? Ss 08:55 0:00 /usr/bin/swtpm socket --daemon --ctrl type=unixio,path=/var/run/libvirt/qemu/swtpm/19-rhel8.1-ovmf-swtpm.sock,mode=0600 --tpmstate dir=/var/lib/libvirt/swtpm/0572326a-499d-407e-8d4a-2a8e974c9496/tpm2,mode=0600 --log file=/var/log/swtpm/libvirt/qemu/rhel8.1-ovmf-swtpm.log --tpm2 --pid file=/var/run/libvirt/qemu/swtpm/19-rhel8.1-ovmf-swtpm.pid # ll -Z /var/log/swtpm/libvirt/qemu/rhel8.1-ovmf-swtpm.log -rw-r--r--. 1 tss tss system_u:object_r:svirt_image_t:s0:c85,c505 17705 Aug 21 07:56 /var/log/swtpm/libvirt/qemu/rhel8.1-ovmf-swtpm.log # getfattr -m trusted.libvirt.security -d /var/log/swtpm/libvirt/qemu/rhel8.1-ovmf-swtpm.log getfattr: Removing leading '/' from absolute path names # file: var/log/swtpm/libvirt/qemu/rhel8.1-ovmf-swtpm.log trusted.libvirt.security.ref_selinux="1" trusted.libvirt.security.selinux="system_u:object_r:var_log_t:s0" trusted.libvirt.security.timestamp_selinux="1572842526" 3. Destroy vm and check swtpm again: # virsh destroy rhel8.1-ovmf Domain rhel8.1-ovmf destroyed # ps aux|grep swtpm (nothing) # ll -Z /var/log/swtpm/libvirt/qemu/rhel8.1-ovmf-swtpm.log -rw-r--r--. 1 tss tss system_u:object_r:svirt_image_t:s0:c85,c505 17705 Aug 21 07:56 /var/log/swtpm/libvirt/qemu/rhel8.1-ovmf-swtpm.log # getfattr -m trusted.libvirt.security -d /var/log/swtpm/libvirt/qemu/rhel8.1-ovmf-swtpm.log getfattr: Removing leading '/' from absolute path names # file: var/log/swtpm/libvirt/qemu/rhel8.1-ovmf-swtpm.log trusted.libvirt.security.ref_selinux="1" trusted.libvirt.security.selinux="system_u:object_r:var_log_t:s0" trusted.libvirt.security.timestamp_selinux="1572842526" 4. Try to start the vm: # virsh start rhel8.1-ovmf error: Failed to start domain rhel8.1-ovmf error: internal error: child reported (status=125): Requested operation is not valid: Setting different SELinux label on /var/log/swtpm/libvirt/qemu/rhel8.1-ovmf-swtpm.log which is already in use # getfattr -m trusted.libvirt.security -d /var/log/swtpm/libvirt/qemu/rhel8.1-ovmf-swtpm.log (nothing) # ll -Z /var/log/swtpm/libvirt/qemu/rhel8.1-ovmf-swtpm.log -rw-r--r--. 1 tss tss system_u:object_r:var_log_t:s0 17705 Aug 21 07:56 /var/log/swtpm/libvirt/qemu/rhel8.1-ovmf-swtpm.log # virsh start rhel8.1-ovmf Domain rhel8.1-ovmf started Actual results: 1. As in step 3, security context of swtpm.log isn't restore after destroy vm if restart libvirtd while vm running. And info stored in xattr isn't cleared. 2. In step4, vm next start will fail due to selinux label error. Expected results: Security context of swtpm.log should restore to system_u:object_r:var_log_t:s0 after vm destroy. Additional info:
Created attachment 1633189 [details] libvirtd_qemu_logs
Patch proposed upstream: https://listman.redhat.com/archives/libvir-list/2021-March/msg00030.html
Fixed upstream as: 25ebb45a81 qemu_tpm: Generate log file path among with storage path f9cd29a2e4 qemu_tpm: Move logfile path generation into a separate function v7.1.0-31-g25ebb45a81
Verified on : libvirt-daemon-7.4.0-1.module+el8.5.0+11218+83343022.x86_64 qemu-kvm-6.0.0-17.module+el8.5.0+11173+c9fce0bb.x86_64 Steps: # virsh start vm-uefi Domain 'vm-uefi' started <tpm model='tpm-crb'> <backend type='emulator' version='2.0'/> </tpm> # ps aux|grep swtpm tss 2571 0.1 0.0 23568 3504 ? Ss 23:31 0:00 /usr/bin/swtpm socket --daemon --ctrl type=unixio,path=/run/libvirt/qemu/swtpm/1-vm-uefi-swtpm.sock,mode=0600 --tpmstate dir=/var/lib/libvirt/swtpm/bc038221-2b87-4248-b8f2-9f04d29e3285/tpm2,mode=0600 --log file=/var/log/swtpm/libvirt/qemu/vm-uefi-swtpm.log --tpm2 --pid file=/run/libvirt/qemu/swtpm/1-vm-uefi-swtpm.pid # ll -Z /var/log/swtpm/libvirt/qemu/vm-uefi-swtpm.log -rw-r--r--. 1 tss tss system_u:object_r:svirt_image_t:s0:c357,c483 3379 Jun 2 23:25 /var/log/swtpm/libvirt/qemu/vm-uefi-swtpm.log # getfattr -m trusted.libvirt.security -d /var/log/swtpm/libvirt/qemu/vm-uefi-swtpm.log getfattr: Removing leading '/' from absolute path names # file: var/log/swtpm/libvirt/qemu/vm-uefi-swtpm.log trusted.libvirt.security.ref_selinux="1" trusted.libvirt.security.selinux="system_u:object_r:virt_log_t:s0" trusted.libvirt.security.timestamp_selinux="1622676624" #systemctl restart libvirtd No change for above 3 checkpoints. # virsh destroy vm-uefi Domain 'vm-uefi' destroyed # ps aux|grep swtpm (nothing) # ll -Z /var/log/swtpm/libvirt/qemu/vm-uefi-swtpm.log -rw-r--r--. 1 tss tss system_u:object_r:virt_log_t:s0 3379 Jun 2 23:25 /var/log/swtpm/libvirt/qemu/vm-uefi-swtpm.log # getfattr -m trusted.libvirt.security -d /var/log/swtpm/libvirt/qemu/vm-uefi-swtpm.log (nothing) # virsh start vm-uefi Domain 'vm-uefi' started Login into guest, tpm device works well.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (virt:av bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:4684