Accepting request 1318598 from security

Update SELinux modules dir as macro to allow root path move

As discussed before we are going to move SELinux modules from /var/lib/selinux to /etc/selinux (bsc#1221342). This small change allows you to build your packages dynamically (not depending on selinux-package version) and us to change module directory macro in upcoming versions of selinux-policy package without interfering with other packages using custom SELinux modules. (forwarded request 1318580 from djz88)

OBS-URL: https://build.opensuse.org/request/show/1318598
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/swtpm?expand=0&rev=25

1027.patch

@@ -0,0 +1,82 @@
+From 79ab56b7987e509bd0da2f81fae8ec11198a4f1f Mon Sep 17 00:00:00 2001
+From: Stefan Berger <stefanb@linux.ibm.com>
+Date: Mon, 12 May 2025 18:25:48 -0400
+Subject: [PATCH] tests: Retry NVWrite command after 0x922 return code and inc
+ lockout counter
+
+When returncode 0x922 is received from NVWrite then retry the command so
+that it gets the expected error code from failing to provide a password.
+When checking the lockout counter, increase the numbers now.
+
+Patched versions of libtpms may not return 0x922 anymore, so write the code
+that it can test both cases.
+
+Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
+---
+ tests/_test_tpm2_avoid_da_lockout | 22 ++++++++++++++++------
+ 1 file changed, 16 insertions(+), 6 deletions(-)
+
+diff --git a/tests/_test_tpm2_avoid_da_lockout b/tests/_test_tpm2_avoid_da_lockout
+index e4f0121a9..fc26a8cf6 100755
+--- a/tests/_test_tpm2_avoid_da_lockout
++++ b/tests/_test_tpm2_avoid_da_lockout
+@@ -53,6 +53,11 @@ fi
+ cmd='\x80\x02\x00\x00\x00\x24\x00\x00\x01\x37\x01\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x09\x40\x00\x00\x09\x00\x00\x00\x00\x00\x00\x01\x41\x00\x00'
+ RES=$(swtpm_cmd_tx "${SWTPM_INTERFACE}" ${cmd})
+ exp=' 80 01 00 00 00 0a 00 00 09 22'
++if [ "$RES" == "$exp" ]; then
++	# 0x922 : retry command
++	RES=$(swtpm_cmd_tx "${SWTPM_INTERFACE}" ${cmd})
++fi
++exp=' 80 01 00 00 00 0a 00 00 09 8e'
+ if [ "$RES" != "$exp" ]; then
+ 	echo "Error: Did not get expected result from TPM2_NV_Write"
+ 	echo "expected: $exp"
+@@ -63,9 +68,9 @@ fi
+ # The TPM_PT_LOCKOUT_COUNTER must be 0 now: tssgetcapability -cap 6 -pr 0x20e -pc 1
+ cmd='\x80\x01\x00\x00\x00\x16\x00\x00\x01\x7a\x00\x00\x00\x06\x00\x00\x02\x0e\x00\x00\x00\x01'
+ RES=$(swtpm_cmd_tx "${SWTPM_INTERFACE}" ${cmd})
+-exp=' 80 01 00 00 00 1b 00 00 00 00 01 00 00 00 06 00 00 00 01 00 00 02 0e 00 00 00 00'
++exp=' 80 01 00 00 00 1b 00 00 00 00 01 00 00 00 06 00 00 00 01 00 00 02 0e 00 00 00 01'
+ if [ "$RES" != "$exp" ]; then
+-	echo "Error: Did not get expected result from TPM2_GetCapability(TPM_PT_LOCKOUT_COUNTER)"
++	echo "Error: Did not get expected result from 1st TPM2_GetCapability(TPM_PT_LOCKOUT_COUNTER)"
+ 	echo "expected: $exp"
+ 	echo "received: $RES"
+ 	exit 1
+@@ -92,9 +97,9 @@ fi
+ # Without swtpm sending TPM2_Shutdown, it would be '1' now
+ cmd='\x80\x01\x00\x00\x00\x16\x00\x00\x01\x7a\x00\x00\x00\x06\x00\x00\x02\x0e\x00\x00\x00\x01'
+ RES=$(swtpm_cmd_tx "${SWTPM_INTERFACE}" ${cmd})
+-exp=' 80 01 00 00 00 1b 00 00 00 00 01 00 00 00 06 00 00 00 01 00 00 02 0e 00 00 00 00'
++exp=' 80 01 00 00 00 1b 00 00 00 00 01 00 00 00 06 00 00 00 01 00 00 02 0e 00 00 00 01'
+ if [ "$RES" != "$exp" ]; then
+-	echo "Error: Did not get expected result from TPM2_GetCapability(TPM_PT_LOCKOUT_COUNTER)"
++	echo "Error: Did not get expected result from 2nd TPM2_GetCapability(TPM_PT_LOCKOUT_COUNTER)"
+ 	echo "expected: $exp"
+ 	echo "received: $RES"
+ 	exit 1
+@@ -104,6 +109,11 @@ fi
+ cmd='\x80\x02\x00\x00\x00\x24\x00\x00\x01\x37\x01\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x09\x40\x00\x00\x09\x00\x00\x00\x00\x00\x00\x01\x41\x00\x00'
+ RES=$(swtpm_cmd_tx "${SWTPM_INTERFACE}" ${cmd})
+ exp=' 80 01 00 00 00 0a 00 00 09 22'
++if [ "$RES" == "$exp" ]; then
++	# 0x922 : retry command
++	RES=$(swtpm_cmd_tx "${SWTPM_INTERFACE}" ${cmd})
++fi
++exp=' 80 01 00 00 00 0a 00 00 09 8e'
+ if [ "$RES" != "$exp" ]; then
+ 	echo "Error: Did not get expected result from TPM2_NV_Write"
+ 	echo "expected: $exp"
+@@ -136,9 +146,9 @@ fi
+ # Without swtpm sending TPM2_Shutdown, it would be '2' now
+ cmd='\x80\x01\x00\x00\x00\x16\x00\x00\x01\x7a\x00\x00\x00\x06\x00\x00\x02\x0e\x00\x00\x00\x01'
+ RES=$(swtpm_cmd_tx "${SWTPM_INTERFACE}" ${cmd})
+-exp=' 80 01 00 00 00 1b 00 00 00 00 01 00 00 00 06 00 00 00 01 00 00 02 0e 00 00 00 00'
++exp=' 80 01 00 00 00 1b 00 00 00 00 01 00 00 00 06 00 00 00 01 00 00 02 0e 00 00 00 02'
+ if [ "$RES" != "$exp" ]; then
+-	echo "Error: Did not get expected result from TPM2_GetCapability(TPM_PT_LOCKOUT_COUNTER)"
++	echo "Error: Did not get expected result from 3rd TPM2_GetCapability(TPM_PT_LOCKOUT_COUNTER)"
+ 	echo "expected: $exp"
+ 	echo "received: $RES"
+ 	exit 1

1229131-fix-swtpm-selinux-policy-mismatch.patch

@@ -1,20 +0,0 @@
-Index: swtpm-0.10.0/src/selinux/swtpm.te
-===================================================================
---- swtpm-0.10.0.orig/src/selinux/swtpm.te
-+++ swtpm-0.10.0/src/selinux/swtpm.te
-@@ -9,6 +9,7 @@ require {
- 	type qemu_var_run_t;
- 	type svirt_image_t;
- 	type var_log_t;
-+	type virt_log_t;
- 	type virt_var_lib_t;
- 	type virtqemud_t;
- 	type virtqemud_tmp_t;
-@@ -30,6 +31,7 @@ allow swtpm_t qemu_var_run_t:file { crea
- allow swtpm_t qemu_var_run_t:dir { add_name remove_name write };
- allow swtpm_t qemu_var_run_t:sock_file { create setattr unlink };
- allow swtpm_t var_log_t:file open;
-+allow swtpm_t virt_log_t:file open;
- allow swtpm_t virt_var_lib_t:dir { add_name remove_name write };
- allow swtpm_t virt_var_lib_t:file { create rename setattr unlink write };
- allow swtpm_t virtqemud_t:unix_stream_socket { read write getattr };

swtpm-0.10.1.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:f8da11cadfed27e26d26c5f58a7b8f2d14d684e691927348906b5891f525c684
+size 415992

swtpm.changes

@@ -1,3 +1,34 @@
+-------------------------------------------------------------------
+Thu Nov 19 08:05:47 UTC 2025 - Zdenek Kubala <zkubala@suse.com>
+
+- Update SELinux module dir as macro to allow root path move from /var/lib/selinux
+  to /etc/selinux (bsc#1221342)
+
+-------------------------------------------------------------------
+Fri Oct 31 09:19:12 UTC 2025 - Johannes Segitz <jsegitz@suse.com>
+
+- Also load swtpm_libvirt in the selinux subpackage (bsc#1251789)
+
+-------------------------------------------------------------------
+Mon Jun 16 08:49:29 UTC 2025 - Dominique Leuenberger <dimstar@opensuse.org>
+
+- Update to version 0.10.1:
+  + swtpm: Fix build error on 32bit systems due to inconsistent
+    _FILE_OFFSET_BITS.
+  + swtpm_setup:
+    - Use DISTRO_PROFILES_DIR when listing profiles (fix path
+      issue).
+    - Do not pass a TPM 2 profile to swtpm when reconfiguring.
+  + selinux:
+    - Add rule for swtpm to be able to read password from pipe.
+    - allow to map state file.
+    - add NFS permissions for swtpm_t.
+    - Add rule to allow swtpm_t opening of virt_log_t files.
+- Drop 1229131-fix-swtpm-selinux-policy-mismatch.patch: fixed
+  upstream.
+- Add 1027.patch: tests: Retry NVWrite command after 0x922 return
+  code and inc lockout counter.
+
 -------------------------------------------------------------------
 Sat Dec  7 10:16:02 UTC 2024 - Bernhard Wiedemann <bwiedemann@suse.com>
 

swtpm.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package swtpm
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC and contributors
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -29,8 +29,9 @@
 %define modulename1 swtpm
 %define modulename2 swtpm_svirt
 %define modulename3 swtpmcuse
+%define modulename4 swtpm_libvirt
 Name:           swtpm
-Version:        0.10.0
+Version:        0.10.1
 Release:        0
 Summary:        Software TPM emulator
 License:        BSD-3-Clause
@@ -39,14 +40,8 @@ URL:            https://github.com/stefanberger/swtpm
 Source0:        %{url}/archive/v%{version}/%{name}-%{version}.tar.gz
 Source100:      swtpm-rpmlintrc
 Patch0:         swtpm-fix-build.patch
-# 19-09-24 cahu bsc#1229131
-# this can be removed once swtpm upstream sorts out their custom selinux module
-# see: https://github.com/stefanberger/swtpm/issues/885
-# there were a couple changes in the selinux-policy libvirt handling
-# which causes the logfile in /var/log/swtpm/libvirt/qemu/*.log to be labeled
-# virt_log_t instead of var_log_t.
-# this patch allows swtpm_t to open the virt_log_t
-Patch1:         1229131-fix-swtpm-selinux-policy-mismatch.patch
+# PATCH-FIX-UPSTREAM
+Patch1:         https://patch-diff.githubusercontent.com/raw/stefanberger/swtpm/pull/1027.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  expect
@@ -153,12 +148,14 @@ sed -i "s@\(-L\./\.libs\)@\1 -Wl,--no-as-needed@" src/Makefile
 %selinux_modules_install -s %{selinuxtype} -p 200 %{_datadir}/selinux/packages/targeted/%{modulename1}.pp
 %selinux_modules_install -s %{selinuxtype} -p 200 %{_datadir}/selinux/packages/targeted/%{modulename2}.pp
 %selinux_modules_install -s %{selinuxtype} -p 200 %{_datadir}/selinux/packages/targeted/%{modulename3}.pp
+%selinux_modules_install -s %{selinuxtype} -p 200 %{_datadir}/selinux/packages/targeted/%{modulename4}.pp
 
 %postun selinux
 if [ $1 -eq 0 ]; then
     %selinux_modules_uninstall -s %{selinuxtype} -p 200 %{modulename1}
     %selinux_modules_uninstall -s %{selinuxtype} -p 200 %{modulename2}
     %selinux_modules_uninstall -s %{selinuxtype} -p 200 %{modulename3}
+    %selinux_modules_uninstall -s %{selinuxtype} -p 200 %{modulename4}
 fi
 
 %posttrans selinux
@@ -185,9 +182,10 @@ fi
 %if %{with use_selinux}
 %files selinux
 %{_datadir}/selinux/packages/targeted/*.pp
-%ghost %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename1}
-%ghost %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename2}
-%ghost %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename3}
+%ghost %verify(not md5 size mtime) %{_selinux_store_path}/%{selinuxtype}/active/modules/200/%{modulename1}
+%ghost %verify(not md5 size mtime) %{_selinux_store_path}/%{selinuxtype}/active/modules/200/%{modulename2}
+%ghost %verify(not md5 size mtime) %{_selinux_store_path}/%{selinuxtype}/active/modules/200/%{modulename3}
+%ghost %verify(not md5 size mtime) %{_selinux_store_path}/%{selinuxtype}/active/modules/200/%{modulename4}
 %endif
 
 %changelog