Bug 2307853 - SELinux denials re swtpm and files in /var/log/swtpm/libvirt/qemu/
Summary: SELinux denials re swtpm and files in /var/log/swtpm/libvirt/qemu/
Keywords:
Status: CLOSED DUPLICATE of bug 2265346
Alias: None
Product: Fedora
Classification: Fedora
Component: libvirt
Version: 41
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Libvirt Maintainers
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: CockpitTest
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-08-26 10:16 UTC by Marius Vollmer
Modified: 2025-03-31 05:44 UTC (History)
12 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2025-03-31 05:44:59 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Marius Vollmer 2024-08-26 10:16:26 UTC 
libvirt-daemon-driver-qemu-10.6.0-1.fc41.x86_64
selinux-policy-41.14-1.fc41.noarch

We are seeing this in the journal when one of our integration tests fails:

audit[6927]: AVC avc:  denied  { open } for  pid=6927 comm="swtpm" path="/var/log/swtpm/libvirt/qemu/VmNotInstalled-swtpm.log" dev="vda4" ino=127316 scontext=system_u:system_r:swtpm_t:s0 tcontext=system_u:object_r:virt_log_t:s0 tclass=file permissive=0
virtqemud[849]: internal error: Could not run '/usr/bin/swtpm_setup'. exitstatus: 1; Check error log '/var/log/swtpm/libvirt/qemu/VmNotInstalled-swtpm.log' for details.

setroubleshoot[4834]: SELinux is preventing swtpm from open access on the file /var/log/swtpm/libvirt/qemu/VmNotInstalled-swtpm.log. For complete SELinux messages run: sealert -l f4fb1e0e-4b5d-4c95-bff0-88259c09af62
setroubleshoot[4834]: SELinux is preventing swtpm from open access on the file /var/log/swtpm/libvirt/qemu/VmNotInstalled-swtpm.log.
                      
                      *****  Plugin restorecon (99.5 confidence) suggests   ************************
                      
                      If you want to fix the label. 
                      /var/log/swtpm/libvirt/qemu/VmNotInstalled-swtpm.log default label should be var_log_t.
                      Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly.
                      Do
                      # /sbin/restorecon -v /var/log/swtpm/libvirt/qemu/VmNotInstalled-swtpm.log
                      
                      *****  Plugin catchall (1.49 confidence) suggests   **************************
                      
                      If you believe that swtpm should be allowed open access on the VmNotInstalled-swtpm.log file by default.
                      Then you should report this as a bug.
                      You can generate a local policy module to allow this access.
                      Do
                      allow this access for now by executing:
                      # ausearch -c 'swtpm' --raw | audit2allow -M my-swtpm
                      # semodule -X 300 -i my-swtpm.pp



However, right after this, we also see:

audit[6928]: AVC avc:  denied  { relabelfrom } for  pid=6928 comm="rpc-virtqemud" name="VmNotInstalled-swtpm.log" dev="vda4" ino=127316 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:virt_log_t:s0 tclass=file permissive=1

setroubleshoot[4834]: SELinux is preventing rpc-virtqemud from relabelfrom access on the file VmNotInstalled-swtpm.log. For complete SELinux messages run: sealert -l 2ed453d5-2d55-4a33-b9ba-3556f3c68dad
setroubleshoot[4834]: SELinux is preventing rpc-virtqemud from relabelfrom access on the file VmNotInstalled-swtpm.log.
                                                               
                      *****  Plugin catchall (100. confidence) suggests   **************************
                      
                      If you believe that rpc-virtqemud should be allowed relabelfrom access on the VmNotInstalled-swtpm.log file by default.
                      Then you should report this as a bug.
                      You can generate a local policy module to allow this access.
                      Do
                      allow this access for now by executing:
                      # ausearch -c 'rpc-virtqemud' --raw | audit2allow -M my-rpcvirtqemud
                      # semodule -X 300 -i my-rpcvirtqemud.pp

Note the "permissive=1" in the audit log.

In fact:

# ls -Z /var/log/swtpm/libvirt/qemu/VmNotInstalled-swtpm.log
system_u:object_r:var_log_t:s0 /var/log/swtpm/libvirt/qemu/VmNotInstalled-swtpm.log

And even more interestingly, a second run of the test in the same machine will succeed.

So this looks like rpc-virtqemud is relabeling the log file (and switches selinux off for that?), but does it too late.

Thus, I open this bug in libvirt. If you feel this is a policy bug, please reassign to selinux.


Reproducible: Always
Comment 1 Martin Jackson 2024-11-21 12:00:23 UTC 
I also hit this problem while provisioning UEFI-based VMs. I was able to work around it by creating my own semodule, but it would be great to see a proper fix upstream.
Comment 2 nh 2025-02-22 12:20:37 UTC 
Hello,

It seems the problem I have is the same / similar:

Steps to reproduce:
- Install Fedora server 41 on bare metal using "Fedora-Server-netinst-x86_64-41-1.4.iso"
- Log-in to server cockpit GUI "192.168.x.x:9090"
- Install cockpit-machines
- reboot
- Log-in to server cockpit GUI "192.168.x.x:9090"
- go to terminal tab
- cd /var/lib/libvirt/images
- sudo wget https://download.fedoraproject.org/pub/fedora/linux/releases/41/Server/x86_64/iso/Fedora-Server-netinst-x86_64-41-1.4.iso
- sudo wget https://download.truenas.com/TrueNAS-SCALE-ElectricEel/24.10.0.2/TrueNAS-SCALE-24.10.0.2.iso
- go to virtual machines tab
- click "Create VM":
 - Name: fedora-server-41-base
 - Installation type: "Local install media (ISO image or distro install tree"
 - Installation source: /var/lib/libvirt/images/Fedora-Server-netinst-x86_64-41-1.4.iso
 - Operating system: "Fedora Linux 41"
 - Storage: Create new qcow2 volume
 - Storage limit: 20GB
 - Memory: 4GB
- click "Create and edit"
 - in Overview, Firmware: select UEFI and save
- click install

Expected result:
- VM boots into fedora installer

Actual result:
- Error message: VM fedora-server-41-base failed to get installed 
ERROR internal error: Could not run '/usr/bin/swtpm_setup'. exitstatus: 1; Check error log '/var/log/swtpm/libvirt/qemu/fedora-server-41-base-swtpm.log' for details. Domain installation does not appear to have been successful. If it was, you can restart your domain by running: virsh --connect qemu:///system start fedora-server-41-base otherwise, please restart your installation. Command '['virt-install', '--connect', 'qemu:///system', '--quiet', '--os-variant', 'fedora41', '--reinstall', 'fedora-server-41-base', '--wait', '-1', '--noautoconsole', '--cdrom', '/var/lib/libvirt/images/Fedora-Server-netinst-x86_64-41-1.4.iso']' returned non-zero exit status 1.

- $ sudo cat /var/log/swtpm/libvirt/qemu/fedora-server-41-base-swtpm.log
  swtpm at /usr/bin/swtpm does not support TPM 2

- SELinux is preventing swtpm from open access on the file /var/log/swtpm/libvirt/qemu/fedora-server-41-base-swtpm.log.


If I do the same steps with BIOS firmware setting, I can install fedora 41 server VM and TrueNAS SCALE VM without hickups.

If I do the same steps under fedora server 42, installing a fedora 41 server VM in UEFI works, but the TrueNAS SCALE 24.10.0.2 still fails.

I've tried fedora 42 for this because I stumbled upon theses similar issues, that got me thinking that libvirt 11.0.0 (present in f42 but not f41) could have solved the problem, but it does not completely:
- https://github.com/virt-manager/virt-manager/issues/819
- https://issues.redhat.com/browse/RHEL-69774
- https://gitlab.com/libvirt/libvirt/-/commit/81da7a2c2a2d490cddaaa77d3e3b36e210b38bd7

with help on Ask-fedora and applying the proposed solutions from SELinux tab in cockpit i could get past the error message, but then the VM starts and is not able to find the .iso file.
Comment 3 nh 2025-02-28 16:34:50 UTC 
This update: https://bodhi.fedoraproject.org/updates/FEDORA-2025-1c1946f65f from this bug: https://bugzilla.redhat.com/show_bug.cgi?id=2278123 solved it for me.

In the mean time I found out that my problem with TrueNAS VM is only partially related and a Problem with TrueNAS / Debian and not Fedora.
Comment 4 Martin Pitt 2025-03-31 05:44:59 UTC 
Our automatic tracker in https://github.com/cockpit-project/bots/issues/6792 hasn't seen this any more in the last three weeks. Let's call it a duplicate of #2265346

*** This bug has been marked as a duplicate of bug 2265346 ***
Note You need to log in before you can comment on or make changes to this bug.