2331316 – TPM-backed instance fails to start after it was stopped because of incorrect label of /run/libvirt/qemu/swtpm/49-instance-ID-swtpm.pid

Bug 2331316 - TPM-backed instance fails to start after it was stopped because of incorrect label of /run/libvirt/qemu/swtpm/49-instance-ID-swtpm.pid

Summary: TPM-backed instance fails to start after it was stopped because of incorrect ...

Keywords:
Status:	CLOSED DUPLICATE of bug 2279464
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-nova
Sub Component:
Version:	17.1 (Wallaby)
Hardware:	Unspecified
OS:	Unspecified
Priority:	urgent
Severity:	urgent
Target Milestone:	---
Target Release:	---
Assignee:	OSP DFG:Compute
QA Contact:	OSP DFG:Compute
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2024-12-10 08:33 UTC by Alex Stupnikov
Modified:	2024-12-11 13:26 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2024-12-11 13:15:10 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	OSP-33165	0	None	None	None	2024-12-10 08:35:17 UTC

Description Alex Stupnikov 2024-12-10 08:33:21 UTC

Description of problem:
RHOSP 17.1.3 is affected a problem that may become an issue for a very wide audience: after TPM-backed instance is stopped, it is no longer possible to start it because of the following SELinux problem:
type=AVC msg=audit(1733720908.058:231104): avc:  denied  { write } for  pid=197216 comm="swtpm" path="/run/libvirt/qemu/swtpm/49-instance-ID-swtpm.pid" dev="tmpfs" ino=240819 scontext=system_u:system_r:svirt_t:s0:c363,c550 tcontext=system_u:object_r:container_ro_file_t:s0 tclass=file permissive=0

In nova-compute logs I can see error:
2024-12-09 05:08:28.076+0000: 8516: error : qemuTPMEmulatorStart:997 : operation failed: swtpm died and reported: 

In libvirt logs there is an error:
Successfully activated PCR banks sha256 among sha1,sha256,sha384,sha512.
Successfully authored TPM state.
Ending vTPM manufacturing @ Mon 09 Dec 2024 05:08:28 AM UTC
Could not open UnixIO socket: Permission denied


Version-Release number of selected component (if applicable): RHOSP 17.1.3


How reproducible: create TPM-backed instance, stop it and then try to start


Actual results: instance startup is blocked by SELinux


Expected results: instance is started smoothly


Additional info: will be provided privately

Comment 3 Bogdan Dobrelya 2024-12-11 12:29:24 UTC

Fixed for z4

*** This bug has been marked as a duplicate of bug 2122656 ***

Comment 4 Bogdan Dobrelya 2024-12-11 12:48:32 UTC

Sorry, not a duplicate of bug 2122656. The /run/libvirt mounts used by containers already do have :z

Note You need to log in before you can comment on or make changes to this bug.