Description of problem: Using virt-install without sudo SELinux is preventing swtpm from 'create' accesses on the sock_file 1-fedora-38-aarch64-swtpm.sock. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that swtpm should be allowed create access on the 1-fedora-38-aarch64-swtpm.sock sock_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'swtpm' --raw | audit2allow -M my-swtpm # semodule -X 300 -i my-swtpm.pp Additional Information: Source Context unconfined_u:unconfined_r:svirt_tcg_t:s0:c132,c616 Target Context unconfined_u:object_r:user_tmp_t:s0 Target Objects 1-fedora-38-aarch64-swtpm.sock [ sock_file ] Source swtpm Source Path swtpm Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-38.22-1.fc38.noarch Local Policy RPM selinux-policy-targeted-38.22-1.fc38.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 6.4.4-200.fc38.x86_64 #1 SMP PREEMPT_DYNAMIC Wed Jul 19 16:32:49 UTC 2023 x86_64 Alert Count 1 First Seen 2023-08-02 13:55:11 IDT Last Seen 2023-08-02 13:55:11 IDT Local ID 2884496f-9391-4881-90c0-6a961693637d Raw Audit Messages type=AVC msg=audit(1690973711.553:1024): avc: denied { create } for pid=412610 comm="swtpm" name="1-fedora-38-aarch64-swtpm.sock" scontext=unconfined_u:unconfined_r:svirt_tcg_t:s0:c132,c616 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=sock_file permissive=0 Hash: swtpm,svirt_tcg_t,user_tmp_t,sock_file,create Version-Release number of selected component: selinux-policy-targeted-38.22-1.fc38.noarch Additional info: reporter: libreport-2.17.11 reason: SELinux is preventing swtpm from 'create' accesses on the sock_file 1-fedora-38-aarch64-swtpm.sock. package: selinux-policy-targeted-38.22-1.fc38.noarch component: selinux-policy hashmarkername: setroubleshoot type: libreport kernel: 6.4.6-200.fc38.x86_64 comment: Using virt-install without sudo component: selinux-policy
Created attachment 1981301 [details] File: description
Created attachment 1981302 [details] File: os_info
Hello, Extra privileges should not be needed for using virtual machines, can you describe your setup or changes?
I'm not sure what is meant by setup. I'm trying to follow the following https://www.redhat.com/sysadmin/vm-arm64-fedora I did the following: [dani@fedora aarch64]$ virt-builder fedora-38 --arch aarch64 --size 10G --root-password password:1 [ 3.2] Downloading: http://builder.libguestfs.org/fedora-38-aarch64.xz [ 3.9] Planning how to build this image [ 3.9] Uncompressing [ 6.9] Resizing (using virt-resize) to expand the disk to 10.0G [ 29.9] Opening the new disk [ 35.5] Setting a random seed [ 35.6] Setting passwords [ 36.4] SELinux relabelling [ 44.9] Finishing off Output file: fedora-38.img Output size: 10.0G Output format: raw Total usable space: 9.9G Free space: 8.2G (82%) [dani@fedora aarch64]$ virt-install -v --name fedora-38-aarch64 --ram 4096 --disk path=fedora-38.img,cache=none --nographics --os-variant fedora38 --import --arch aarch64 --vcpus 4 Starting install... ERROR operation failed: swtpm died and reported: Domain installation does not appear to have been successful. If it was, you can restart your domain by running: virsh --connect qemu:///session start fedora-38-aarch64 otherwise, please restart your installation. At this point the selinux alert pops up, consistently.
I hadn't seen this BZ before... I was able to recreate the issue with the following command line on x86_64 host: virt-install -v --name fedora-38-aarch64 --ram 4096 --disk path=fedora-38.img,cache=none --nographics --os-variant fedora38 --import --virt-type=qemu --arch aarch64 The problem is that swtpm's selinux policy was missing the following rules: allow svirt_tcg_t user_tmp_t:sock_file { create setattr }; allow svirt_tcg_t self:process ptrace; The observed failures were the following ones: type=AVC msg=audit(1691788256.413:1014): avc: denied { create } for pid=78085 comm="swtpm" name="1-fedora-38-aarch64-swtpm.sock" scontext=unconfined_u:unconfined_r:svirt_tcg_t:s0:c549,c979 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=sock_file permissive=1 type=AVC msg=audit(1691788256.413:1015): avc: denied { setattr } for pid=78085 comm="swtpm" name="1-fedora-38-aarch64-swtpm.sock" dev="tmpfs" ino=295 scontext=unconfined_u:unconfined_r:svirt_tcg_t:s0:c549,c979 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=sock_file permissive=1 type=AVC msg=audit(1691788638.871:1062): avc: denied { ptrace } for pid=81390 comm="swtpm" scontext=unconfined_u:unconfined_r:svirt_tcg_t:s0:c8,c265 tcontext=unconfined_u:unconfined_r:svirt_tcg_t:s0:c8,c265 tclass=process permissive=1 If you have any comments regarding the PR or test results let me know here: https://github.com/stefanberger/swtpm/pull/813
FEDORA-2023-264d50ec35 has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-264d50ec35
FEDORA-2023-264d50ec35 has been pushed to the Fedora 38 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-264d50ec35` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-264d50ec35 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.