Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(-dx): Workaround swtpm SELinux issues #764

Merged
merged 7 commits into from
Jan 1, 2024

Conversation

m2Giles
Copy link
Member

@m2Giles m2Giles commented Dec 31, 2023

swtpm has the wrong SELinux labels. You This is a deficiency with the OCI build process for ostree.

Libvirt is shipped with -dx image. This pulls in swtpm. On the discord there has been numerous callouts to issues with swtpm being broken. This should be a sufficient workaround for the time being. Compared to my original implementation, I've changed the binary location from /usr/local/bin to /tmp and using a tmpfile to create the required directory for the swtpm-rootca. swtpm is only 42K and we do not set noexec on tmp.

swtpm has the wrong SELinux labels. You This is a deficiency with the OCI build process for ostree.

Libvirt is shipped with -dx image. This pulls in swtpm. On the discord there has been numerous callouts to issues with swtpm being broken. This should be a sufficient workaround for the time being. Compared to my original implementation, I've changed the binary location from /usr/local/bin to /tmp and using a tmpfile to create the required directory for the swtpm-rootca. swtpm is only 42K and we do not set noexec on tmp.
@m2Giles m2Giles requested a review from castrojo as a code owner December 31, 2023 02:25
Instead of calling a script, we can do everything inside of the systemd oneshot service file. The semanage line appears to not be needed. Since the correct file context already exists.Working out of /tmp doesn't seem to always work and a symlink to /usr/local/bin doesn't resolve it. Instead, use /usr/local/bin directly.

tmpfiles.d is used to copy swtpm into place and make sure that the swtpm-rootca directory exists.

Instead of including a .mount unit for the bind mount, I'm using mount directly and cleaning up. This seemed to result in faster boots than using .mount unit and allows us to clean up the changes in /usr/local/bin.
Instead of calling a script, we can do everything inside of the systemd oneshot service file. The semanage line appears to not be needed. Since the correct file context already exists.Working out of /tmp doesn't seem to always work and a symlink to /usr/local/bin doesn't resolve it. Instead, use /usr/local/bin directly.

tmpfiles.d is used to copy swtpm into place and make sure that the swtpm-localca directory exists and is owned by user tss.

Instead of including a .mount unit for the bind mount, I'm using mount directly and cleaning up. This seemed to result in faster boots than using .mount unit and allows us to clean up the changes in /usr/local/bin.
@m2Giles
Copy link
Member Author

m2Giles commented Dec 31, 2023

Instead of calling a script, we can do everything just in the oneshot. We can also clean up after ourselves with ExecStop lines. Instead of using a .mount file, I call mount directly in the unit file. This "works" but a mount file would be better but seemed to slow down boot for some odd reason and makes it so we can't as easily clean up after ourselves. Additionally use tmpfiles.d to create a copy in the beginning and make sure that /var/lib/swtpm-localca exists and is owned by tss.

Additionally, using /tmp doesn't seem to work consistently so placed back in /usr/local/bin. I prefixed the binary with a . to help avoid a name collision and clean it up when the service exits.

bketelsen
bketelsen previously approved these changes Jan 1, 2024
Copy link
Member

@bketelsen bketelsen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

YOLO

@bketelsen bketelsen added this pull request to the merge queue Jan 1, 2024
Merged via the queue into ublue-os:main with commit f8dabd4 Jan 1, 2024
34 checks passed
wizzywizard65 pushed a commit to wizzywizard65/bluefin that referenced this pull request Jan 2, 2024
@m2Giles m2Giles deleted the SELinux-workarounds branch January 2, 2024 14:42
awesomekyle pushed a commit to awesomekyle/bluefin that referenced this pull request Apr 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants