Skip to content

Allow sysadm access to TPM #2952

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Nov 21, 2025
Merged

Allow sysadm access to TPM #2952

merged 1 commit into from
Nov 21, 2025
+2 −0

Conversation

@vmojzis
Copy link
Member

@vmojzis vmojzis commented Nov 19, 2025

Fixes:
$ sudo clevis luks bind -d /dev/vda3 tpm2 "{}"

systemd-cryptenroll --tpm2-device=auto /dev/vda3

type=PROCTITLE msg=audit(11/11/2025 06:34:49.586:82) : proctitle=systemd-cryptenroll --tpm2-device=auto /dev/vda3
type=SYSCALL msg=audit(11/11/2025 06:34:49.586:82) : arch=x86_64 syscall=add_key success=no exit=EINVAL(Invalid argument) a0=0x7f05bd4e0b77 a1=0x5617881a6395 a2=0x56178887db00 a3=0x0 items=0 ppid=2318 pid=2904 auid=dcd uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1 comm=systemd-crypten exe=/usr/bin/systemd-cryptenroll subj=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(11/11/2025 06:34:49.586:82) : avc: denied { write } for pid=2904 comm=systemd-crypten scontext=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=key permissive=1

type=PROCTITLE msg=audit(11/01/2025 22:30:19.534:717) : proctitle=/usr/bin/bash -e /bin/clevis-decrypt-tpm2
type=PATH msg=audit(11/01/2025 22:30:19.534:717) : item=0 name=/dev/tpmrm0 inode=102 dev=00:05 mode=character,660 ouid=tss ogid=tss rdev=fd:10000 obj=system_u:object_r:tpm_device_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(11/01/2025 22:30:19.534:717) : cwd=/home/dcd
type=SYSCALL msg=audit(11/01/2025 22:30:19.534:717) : arch=x86_64 syscall=faccessat2 success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x55fa435f4ab0 a2=R_OK a3=0x200 items=1 ppid=2207 pid=2212 auid=dcd uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=tty1 ses=1 comm=clevis-decrypt- exe=/usr/bin/bash subj=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(11/01/2025 22:30:19.534:717) : avc: denied { read } for pid=2212 comm=clevis-decrypt- name=tpmrm0 dev="devtmpfs" ino=102 scontext=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tpm_device_t:s0 tclass=chr_file permissive=0

https://issues.redhat.com/browse/RHEL-119055

@vmojzis
Allow sysadm access to TPM
87a7487 
Fixes:
 $ sudo clevis luks bind -d /dev/vda3 tpm2 "{}"
 # systemd-cryptenroll --tpm2-device=auto /dev/vda3

type=PROCTITLE msg=audit(11/11/2025 06:34:49.586:82) : proctitle=systemd-cryptenroll --tpm2-device=auto /dev/vda3
type=SYSCALL msg=audit(11/11/2025 06:34:49.586:82) : arch=x86_64 syscall=add_key success=no exit=EINVAL(Invalid argument) a0=0x7f05bd4e0b77 a1=0x5617881a6395 a2=0x56178887db00 a3=0x0 items=0 ppid=2318 pid=2904 auid=dcd uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1 comm=systemd-crypten exe=/usr/bin/systemd-cryptenroll subj=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(11/11/2025 06:34:49.586:82) : avc:  denied  { write } for  pid=2904 comm=systemd-crypten scontext=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=key permissive=1

type=PROCTITLE msg=audit(11/01/2025 22:30:19.534:717) : proctitle=/usr/bin/bash -e /bin/clevis-decrypt-tpm2
type=PATH msg=audit(11/01/2025 22:30:19.534:717) : item=0 name=/dev/tpmrm0 inode=102 dev=00:05 mode=character,660 ouid=tss ogid=tss rdev=fd:10000 obj=system_u:object_r:tpm_device_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(11/01/2025 22:30:19.534:717) : cwd=/home/dcd
type=SYSCALL msg=audit(11/01/2025 22:30:19.534:717) : arch=x86_64 syscall=faccessat2 success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x55fa435f4ab0 a2=R_OK a3=0x200 items=1 ppid=2207 pid=2212 auid=dcd uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=tty1 ses=1 comm=clevis-decrypt- exe=/usr/bin/bash subj=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(11/01/2025 22:30:19.534:717) : avc:  denied  { read } for  pid=2212 comm=clevis-decrypt- name=tpmrm0 dev="devtmpfs" ino=102 scontext=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tpm_device_t:s0 tclass=chr_file permissive=0

https://issues.redhat.com/browse/RHEL-119055

Signed-off-by: Vit Mojzis <[email protected]>
@zpytela
Copy link
Contributor

zpytela commented Nov 21, 2025

Merging, thank you.

@zpytela zpytela merged commit ede2d5e into fedora-selinux:rawhide Nov 21, 2025
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@vmojzis @zpytela