SELinux: allow to map state file
Specify vtpm state to a file instead of dir:
<tpm model="tpm-crb">
<backend type="emulator" version="2.0">
<source type="file" path="/var/lib/libvirt/swtpm/mytest/mytpm2-00.permall"/>
</backend>
</tpm>
$ virsh start avocado-vt-vm1
error: Failed to start domain 'avocado-vt-vm1'
error: internal error: Could not run '/usr/bin/swtpm_setup'. exitstatus: 1; Check error log '/var/log/swtpm/libvirt/qemu/avocado-vt-vm1-swtpm.log' for details.
$ cat /var/log/swtpm/libvirt/qemu/avocado-vt-vm1-swtpm.log
SWTPM_NVRAM_LinearFile_Mmap: Could not mmap file: Permission denied
/usr/bin/swtpm exit with status 256:
$ ausearch -m avc
----
time->Thu Dec 12 08:43:07 2024
type=PROCTITLE msg=audit(1734010987.020:1455): proctitle=2F7573722F62696E2F737774706D00736F636B6574002D2D7072696E742D737461746573002D2D74706D7374617465006261636B656E642D7572693D66696C653A2F2F2F7661722F6C69622F6C6962766972742F737774706D2F6D79746573742F6D7974706D322D30302E7065726D616C6C002D2D74706D32002D2D6C6F67
type=SYSCALL msg=audit(1734010987.020:1455): arch=c000003e syscall=9 success=no exit=-13 a0=0 a1=c0 a2=3 a3=1 items=0 ppid=22547 pid=22549 auid=4294967295 uid=59 gid=59 euid=59 suid=59 fsuid=59 egid=59 sgid=59 fsgid=59 tty=(none) ses=4294967295 comm="swtpm" exe="/usr/bin/swtpm" subj=system_u:system_r:swtpm_t:s0 key=(null)
type=AVC msg=audit(1734010987.020:1455): avc: denied { map } for
pid=22549 comm="swtpm"
path="/var/lib/libvirt/swtpm/mytest/mytpm2-00.permall" dev="dm-0"
ino=202744025 scontext=system_u:system_r:swtpm_t:s0
tcontext=system_u:object_r:virt_var_lib_t:s0 tclass=file permissive=0
Resolves: https://issues.redhat.com/browse/RHEL-70835
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
1 file changed
