I am trying to run virt-install to create a VM and when doing so I receive an error: $ virt-install --import --name fedora-riscv --osinfo fedora40 --arch riscv64 --vcpus 4 --ram 4096 --boot uefi,kernel=/home/jason/.local/share/libvirt/images/vmlinuz-6.8.7-300.4.riscv64.fc40.riscv64,initrd=/home/jason/.local/share/libvirt/images/initramfs-6.8.7-300.4.riscv64.fc40.riscv64.img,cmdline='root=UUID=ae525e47-51d5-4c98-8442-351d530612c3 ro rootflags=subvol=root rhgb LANG=en_US.UTF-8 console=ttyS0 earlycon=sbi' --disk path=/home/jason/.local/share/libvirt/images/Fedora-Minimal-40-20240502.n.0-sda.raw --network default --graphics none Starting install... ERROR operation failed: swtpm died and reported: Domain installation does not appear to have been successful. If it was, you can restart your domain by running: virsh --connect qemu:///session start fedora-riscv otherwise, please restart your installation. The following AVC is captured in /var/log/audit/audit.log: type=AVC msg=audit(1717038227.573:350): avc: denied { create } for pid=8100 comm="swtpm" name="2-fedora-riscv-swtpm.sock" scontext=unconfined_u:unconfined_r:svirt_tcg_t:s0:c198,c627 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=sock_file permissive=0 This occurs with current stable: swtpm-libs-0.8.1-11.fc40.x86_64 swtpm-0.8.1-11.fc40.x86_64 swtpm-selinux-0.8.1-11.fc40.noarch swtpm-tools-0.8.1-11.fc40.x86_64 And these from testing swtpm-libs-0.8.1-12.fc40.x86_64 swtpm-0.8.1-12.fc40.x86_64 swtpm-selinux-0.8.1-12.fc40.noarch swtpm-tools-0.8.1-12.fc40.x86_64 If I downgrade to these I can create the VM as expected swtpm-libs-0.8.1-5.fc40.x86_64 swtpm-0.8.1-5.fc40.x86_64 swtpm-selinux-0.8.1-5.fc40.noarch swtpm-tools-0.8.1-5.fc40.x86_64 Reproducible: Always Steps to Reproduce: 1. Follow the instructions at https://fedoraproject.org/wiki/Architectures/RISC-V/Installing Actual Results: selinux denial causes the process to fail Expected Results: The vm launches It looks like virt-install is creating the VM with a TPM v1.2. I have other existing x86_64 VMs with TPM v2.0 that boot OK. Even after install if I upgrade the packages the VM fails to start. If I remove the TPM device it also boots fine.
When using KVM the swtpm process runs with this context: `unconfined_u:unconfined_r:svirt_t:s0:c742,c785 jason 435229 1 0 11:50 ? 00:00:00 /usr/bin/swtpm ...` When using TCG: `unconfined_u:unconfined_r:svirt_tcg_t:s0:c594,c840 jason 429774 1 0 11:47 ? 00:00:00 /usr/bin/swtpm ...` And access for this was removed from the policy recently: https://src.fedoraproject.org/rpms/swtpm/blob/rawhide/f/0001-selinux-Redevelop-SELinux-policy-for-Fedora-40-ditch.patch#_230
I can confirm adding a patch to add this line back, building, and updating the package allows the VM to start as expected. https://src.fedoraproject.org/rpms/swtpm/blob/rawhide/f/0001-selinux-Redevelop-SELinux-policy-for-Fedora-40-ditch.patch#_230
(In reply to Jason Montleon from comment #2) > I can confirm adding a patch to add this line back, building, and updating > the package allows the VM to start as expected. > https://src.fedoraproject.org/rpms/swtpm/blob/rawhide/f/0001-selinux- > Redevelop-SELinux-policy-for-Fedora-40-ditch.patch#_230 Thanks, this helps a lot. I will re-add the line. I had tried it with aarch64 and it worked just fine for me: # virt-install --import --name fedora-aarch64 --osinfo fedora40 --arch aarch64 --vcpus 4 --ram 1024 --cdrom /home/stefanb/Fedora-Everything-netinst-aarch64-40-1.14.iso --disk path=/home/stefanb/.local/share/libvirt/images/Fedora-Minimal-40-20240502.n.0-sda.raw --network default --graphics none # ps auxZ | grep swtpm | grep socket unconfined_u:unconfined_r:svirt_tcg_t:s0:c567,c927 stefanb 11964 0.0 0.3 11064 6572 ? S 14:36 0:00 /usr/bin/swtpm socket --ctrl type=unixio,path=/home/stefanb/.cache/libvirt/qemu/run/swtpm/2-fedora-aarch64-swtpm.sock,mode=0600 --tpmstate dir=/home/stefanb/.config/libvirt/qemu/swtpm/7ee6b4dc-529b-4d0d-8257-f434f6bcdbea/tpm2,mode=0600 --log file=/home/stefanb/.cache/libvirt/qemu/log/fedora-aarch64-swtpm.log --terminate --tpm2
FEDORA-2024-e5bab59c90 (swtpm-0.8.1-13.fc40) has been submitted as an update to Fedora 40. https://bodhi.fedoraproject.org/updates/FEDORA-2024-e5bab59c90
FEDORA-2024-e5bab59c90 has been pushed to the Fedora 40 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-e5bab59c90` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-e5bab59c90 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2024-e5bab59c90 (swtpm-0.8.1-13.fc40) has been pushed to the Fedora 40 stable repository. If problem still persists, please make note of it in this bug report.