Unable to create new virt-manager vm with software TPM on Fedora 40

Hi,
Using swtpm 0.9.0 and fedora 40, the issue seems to happen for me too. I can neither create new swtpm vm nor start existing one. swtpm logs show hmac verification failed, but journal shows avc denials, I’m not really good at all this/using ausearch.
Using setenforce 0 makes it work.

I am also running into this issue. Cannot create a VM with a TPM.

swtpm-0.9.0-1.fc40.x86_64
selinux-policy-40.27-1.fc40.noarch

# ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today | grep swtpm

type=AVC msg=audit(29/08/2024 09:49:21.205:547) : avc:  denied  { append } for  pid=16793 comm=swtpm name=fcos-uki-swtpm.log dev="nvme0n1p3" ino=2065719 scontext=system_u:system_r:swtpm_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c73,c235 tclass=file permissive=0 
type=AVC msg=audit(29/08/2024 09:50:51.500:576) : avc:  denied  { append } for  pid=17202 comm=swtpm name=fcos-uki-swtpm.log dev="nvme0n1p3" ino=2065719 scontext=system_u:system_r:swtpm_t:s0 tcontext=system_u:object_r:svirt_image_t:s0:c73,c235 tclass=file permissive=0 

I confirm that the issue is still there in Fedora Silverblue 40 with swtpm-selinux-0.9.0-1.fc40.noarch and swtpm-0.9.0-1.fc40.x86_64.

The above issue was solved with an update that has worked for the parties and the state of Fedora of back then. A lot of updates have occurred since. Whatever you have, we have to assume it is a new issue. Please thus open a new topic. Feel free to link back to this one if you think there are similarities. But keep in mind that a denial on swtpm is a generic event, and on itself does not indicate this to be the same issue. However, when you have done no change but only updates or so, you might also consider to open a bug report against swtpm. But ensure to provide sufficient information: the denial on itself does not suffice. You might review the above topic and its bug report (linked above).

1 Like