SELinux: allow to map state file

Specify vtpm state to a file instead of dir: <tpm model="tpm-crb"> <backend type="emulator" version="2.0"> <source type="file" path="/var/lib/libvirt/swtpm/mytest/mytpm2-00.permall"/> </backend> </tpm> $ virsh start avocado-vt-vm1 error: Failed to start domain 'avocado-vt-vm1' error: internal error: Could not run '/usr/bin/swtpm_setup'. exitstatus: 1; Check error log '/var/log/swtpm/libvirt/qemu/avocado-vt-vm1-swtpm.log' for details. $ cat /var/log/swtpm/libvirt/qemu/avocado-vt-vm1-swtpm.log SWTPM_NVRAM_LinearFile_Mmap: Could not mmap file: Permission denied /usr/bin/swtpm exit with status 256: $ ausearch -m avc ---- time->Thu Dec 12 08:43:07 2024 type=PROCTITLE msg=audit(1734010987.020:1455): proctitle=2F7573722F62696E2F737774706D00736F636B6574002D2D7072696E742D737461746573002D2D74706D7374617465006261636B656E642D7572693D66696C653A2F2F2F7661722F6C69622F6C6962766972742F737774706D2F6D79746573742F6D7974706D322D30302E7065726D616C6C002D2D74706D32002D2D6C6F67 type=SYSCALL msg=audit(1734010987.020:1455): arch=c000003e syscall=9 success=no exit=-13 a0=0 a1=c0 a2=3 a3=1 items=0 ppid=22547 pid=22549 auid=4294967295 uid=59 gid=59 euid=59 suid=59 fsuid=59 egid=59 sgid=59 fsgid=59 tty=(none) ses=4294967295 comm="swtpm" exe="/usr/bin/swtpm" subj=system_u:system_r:swtpm_t:s0 key=(null) type=AVC msg=audit(1734010987.020:1455): avc: denied { map } for pid=22549 comm="swtpm" path="/var/lib/libvirt/swtpm/mytest/mytpm2-00.permall" dev="dm-0" ino=202744025 scontext=system_u:system_r:swtpm_t:s0 tcontext=system_u:object_r:virt_var_lib_t:s0 tclass=file permissive=0 Resolves: https://issues.redhat.com/browse/RHEL-70835 Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
stefanberger · Jan 20, 2025 · 736713c · 736713c
1 parent 71f6818
commit 736713c
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/src/selinux/swtpm.te b/src/selinux/swtpm.te
@@ -12,6 +12,7 @@ require {
 	type virt_var_lib_t;
 	type virtqemud_t;
 	type virtqemud_tmp_t;
+	class file map;
 }
 
 attribute_role swtpm_roles;
@@ -31,7 +32,7 @@ allow swtpm_t qemu_var_run_t:dir { add_name remove_name write };
 allow swtpm_t qemu_var_run_t:sock_file { create setattr unlink };
 allow swtpm_t var_log_t:file open;
 allow swtpm_t virt_var_lib_t:dir { add_name remove_name write };
-allow swtpm_t virt_var_lib_t:file { create rename setattr unlink write };
+allow swtpm_t virt_var_lib_t:file { create rename setattr unlink write map };
 allow swtpm_t virtqemud_t:unix_stream_socket { read write getattr };
 allow swtpm_t virtqemud_tmp_t:file { open write };
 allow swtpm_t svirt_image_t:file { open append };  # BZ2306817