-
-
Notifications
You must be signed in to change notification settings - Fork 173
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(-dx): Workaround swtpm SELinux issues #764
Conversation
swtpm has the wrong SELinux labels. You This is a deficiency with the OCI build process for ostree. Libvirt is shipped with -dx image. This pulls in swtpm. On the discord there has been numerous callouts to issues with swtpm being broken. This should be a sufficient workaround for the time being. Compared to my original implementation, I've changed the binary location from /usr/local/bin to /tmp and using a tmpfile to create the required directory for the swtpm-rootca. swtpm is only 42K and we do not set noexec on tmp.
Instead of calling a script, we can do everything inside of the systemd oneshot service file. The semanage line appears to not be needed. Since the correct file context already exists.Working out of /tmp doesn't seem to always work and a symlink to /usr/local/bin doesn't resolve it. Instead, use /usr/local/bin directly. tmpfiles.d is used to copy swtpm into place and make sure that the swtpm-rootca directory exists. Instead of including a .mount unit for the bind mount, I'm using mount directly and cleaning up. This seemed to result in faster boots than using .mount unit and allows us to clean up the changes in /usr/local/bin.
Instead of calling a script, we can do everything inside of the systemd oneshot service file. The semanage line appears to not be needed. Since the correct file context already exists.Working out of /tmp doesn't seem to always work and a symlink to /usr/local/bin doesn't resolve it. Instead, use /usr/local/bin directly. tmpfiles.d is used to copy swtpm into place and make sure that the swtpm-localca directory exists and is owned by user tss. Instead of including a .mount unit for the bind mount, I'm using mount directly and cleaning up. This seemed to result in faster boots than using .mount unit and allows us to clean up the changes in /usr/local/bin.
Instead of calling a script, we can do everything just in the oneshot. We can also clean up after ourselves with ExecStop lines. Instead of using a .mount file, I call mount directly in the unit file. This "works" but a mount file would be better but seemed to slow down boot for some odd reason and makes it so we can't as easily clean up after ourselves. Additionally use tmpfiles.d to create a copy in the beginning and make sure that /var/lib/swtpm-localca exists and is owned by tss. Additionally, using /tmp doesn't seem to work consistently so placed back in /usr/local/bin. I prefixed the binary with a . to help avoid a name collision and clean it up when the service exits. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
YOLO
Co-authored-by: Brian Ketelsen <[email protected]>
Co-authored-by: Brian Ketelsen <[email protected]>
swtpm has the wrong SELinux labels. You This is a deficiency with the OCI build process for ostree.
Libvirt is shipped with -dx image. This pulls in swtpm. On the discord there has been numerous callouts to issues with swtpm being broken. This should be a sufficient workaround for the time being. Compared to my original implementation, I've changed the binary location from /usr/local/bin to /tmp and using a tmpfile to create the required directory for the swtpm-rootca. swtpm is only 42K and we do not set noexec on tmp.