Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(-dx): Workaround swtpm SELinux issues #764

Merged
merged 7 commits into from
Jan 1, 2024
Merged

fix(-dx): Workaround swtpm SELinux issues #764

merged 7 commits into from
Jan 1, 2024

Conversation

m2Giles
Copy link
Member

@m2Giles m2Giles commented Dec 31, 2023

swtpm has the wrong SELinux labels. You This is a deficiency with the OCI build process for ostree.

Libvirt is shipped with -dx image. This pulls in swtpm. On the discord there has been numerous callouts to issues with swtpm being broken. This should be a sufficient workaround for the time being. Compared to my original implementation, I've changed the binary location from /usr/local/bin to /tmp and using a tmpfile to create the required directory for the swtpm-rootca. swtpm is only 42K and we do not set noexec on tmp.

@m2Giles
fix(-dx): Workaround swtpm SELinux issues
bece9bc 
swtpm has the wrong SELinux labels. You This is a deficiency with the OCI build process for ostree.

Libvirt is shipped with -dx image. This pulls in swtpm. On the discord there has been numerous callouts to issues with swtpm being broken. This should be a sufficient workaround for the time being. Compared to my original implementation, I've changed the binary location from /usr/local/bin to /tmp and using a tmpfile to create the required directory for the swtpm-rootca. swtpm is only 42K and we do not set noexec on tmp.
@m2Giles
Merge branch 'main' into SELinux-workarounds
e257f0d
@m2Giles
fix(-dx): Workaround swtpm SELinux Issues
67b36aa 
Instead of calling a script, we can do everything inside of the systemd oneshot service file. The semanage line appears to not be needed. Since the correct file context already exists.Working out of /tmp doesn't seem to always work and a symlink to /usr/local/bin doesn't resolve it. Instead, use /usr/local/bin directly.

tmpfiles.d is used to copy swtpm into place and make sure that the swtpm-rootca directory exists.

Instead of including a .mount unit for the bind mount, I'm using mount directly and cleaning up. This seemed to result in faster boots than using .mount unit and allows us to clean up the changes in /usr/local/bin.
@m2Giles
Merge branch 'main' into SELinux-workarounds
c9d5b62
@m2Giles
fix(-dx): Workaround swtpm SELinux Issues
64a6678 
Instead of calling a script, we can do everything inside of the systemd oneshot service file. The semanage line appears to not be needed. Since the correct file context already exists.Working out of /tmp doesn't seem to always work and a symlink to /usr/local/bin doesn't resolve it. Instead, use /usr/local/bin directly.

tmpfiles.d is used to copy swtpm into place and make sure that the swtpm-localca directory exists and is owned by user tss.

Instead of including a .mount unit for the bind mount, I'm using mount directly and cleaning up. This seemed to result in faster boots than using .mount unit and allows us to clean up the changes in /usr/local/bin.
@m2Giles
Merge branch 'SELinux-workarounds' of https://github.com/m2Giles/bluefin
94c48b7 
 into SELinux-workarounds
@m2Giles
Copy link
Member Author

m2Giles commented Dec 31, 2023

Instead of calling a script, we can do everything just in the oneshot. We can also clean up after ourselves with ExecStop lines. Instead of using a .mount file, I call mount directly in the unit file. This "works" but a mount file would be better but seemed to slow down boot for some odd reason and makes it so we can't as easily clean up after ourselves. Additionally use tmpfiles.d to create a copy in the beginning and make sure that /var/lib/swtpm-localca exists and is owned by tss.

Additionally, using /tmp doesn't seem to work consistently so placed back in /usr/local/bin. I prefixed the binary with a . to help avoid a name collision and clean it up when the service exits.

bketelsen
bketelsen previously approved these changes Jan 1, 2024
View reviewed changes
Copy link
Member

@bketelsen bketelsen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

YOLO

@bketelsen bketelsen added this pull request to the merge queue Jan 1, 2024
Merged via the queue into ublue-os:main with commit f8dabd4 Jan 1, 2024
34 checks passed
@github-actions github-actions bot mentioned this pull request Jan 1, 2024
Merged
wizzywizard65 pushed a commit to wizzywizard65/bluefin that referenced this pull request Jan 2, 2024
@m2Giles @bketelsen @wizzywizard65
fix(-dx): Workaround swtpm SELinux issues (ublue-os#764)
1d9f64e 
Co-authored-by: Brian Ketelsen <[email protected]>
@m2Giles m2Giles deleted the SELinux-workarounds branch January 2, 2024 14:42
@m2Giles m2Giles mentioned this pull request Jan 2, 2024
Closed
@github-actions github-actions bot mentioned this pull request Feb 26, 2024
Merged
awesomekyle pushed a commit to awesomekyle/bluefin that referenced this pull request Apr 24, 2024
@m2Giles @bketelsen
fix(-dx): Workaround swtpm SELinux issues (ublue-os#764)
5801f13 
Co-authored-by: Brian Ketelsen <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@KyleGospo KyleGospo KyleGospo approved these changes

@bketelsen bketelsen bketelsen approved these changes

@castrojo castrojo Awaiting requested review from castrojo castrojo is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@m2Giles @bketelsen @KyleGospo