Skip to content

Commit ede2d5e

Browse files
vmojziszpytela
vmojzis
authored and
zpytela
committed
Allow sysadm access to TPM
Fixes: $ sudo clevis luks bind -d /dev/vda3 tpm2 "{}" # systemd-cryptenroll --tpm2-device=auto /dev/vda3 type=PROCTITLE msg=audit(11/11/2025 06:34:49.586:82) : proctitle=systemd-cryptenroll --tpm2-device=auto /dev/vda3 type=SYSCALL msg=audit(11/11/2025 06:34:49.586:82) : arch=x86_64 syscall=add_key success=no exit=EINVAL(Invalid argument) a0=0x7f05bd4e0b77 a1=0x5617881a6395 a2=0x56178887db00 a3=0x0 items=0 ppid=2318 pid=2904 auid=dcd uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1 comm=systemd-crypten exe=/usr/bin/systemd-cryptenroll subj=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(11/11/2025 06:34:49.586:82) : avc: denied { write } for pid=2904 comm=systemd-crypten scontext=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=key permissive=1 type=PROCTITLE msg=audit(11/01/2025 22:30:19.534:717) : proctitle=/usr/bin/bash -e /bin/clevis-decrypt-tpm2 type=PATH msg=audit(11/01/2025 22:30:19.534:717) : item=0 name=/dev/tpmrm0 inode=102 dev=00:05 mode=character,660 ouid=tss ogid=tss rdev=fd:10000 obj=system_u:object_r:tpm_device_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(11/01/2025 22:30:19.534:717) : cwd=/home/dcd type=SYSCALL msg=audit(11/01/2025 22:30:19.534:717) : arch=x86_64 syscall=faccessat2 success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x55fa435f4ab0 a2=R_OK a3=0x200 items=1 ppid=2207 pid=2212 auid=dcd uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=tty1 ses=1 comm=clevis-decrypt- exe=/usr/bin/bash subj=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(11/01/2025 22:30:19.534:717) : avc: denied { read } for pid=2212 comm=clevis-decrypt- name=tpmrm0 dev="devtmpfs" ino=102 scontext=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tpm_device_t:s0 tclass=chr_file permissive=0 https://issues.redhat.com/browse/RHEL-119055 Signed-off-by: Vit Mojzis <[email protected]>
1 parent fe44c01 commit ede2d5e

File tree

1 file changed

+2
-0
lines changed

1 file changed

+2
-0
lines changed

policy/modules/roles/sysadm.te

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -29,6 +29,7 @@ kernel_manage_perf_event(sysadm_t)
2929
kernel_prog_run_bpf(sysadm_t)
3030
kernel_read_fs_sysctls(sysadm_t)
3131
kernel_read_all_proc(sysadm_t)
32+
kernel_rw_key(sysadm_t)
3233
kernel_secretmem_use(sysadm_t)
3334
kernel_kvm_gmem_use(sysadm_t)
3435
kernel_unconfined(sysadm_t)
@@ -38,6 +39,7 @@ auth_manage_shadow(sysadm_t)
3839
corecmd_exec_shell(sysadm_t)
3940

4041
dev_filetrans_all_named_dev(sysadm_t)
42+
dev_read_tpm(sysadm_t)
4143
dev_rw_ipmi_dev(sysadm_t)
4244
dev_rw_autofs(sysadm_t)
4345
dev_rw_lvm_control(sysadm_t)

0 commit comments

Comments
 (0)