Mention SELinux workaround in INSTALL.md

[joshuagl]

Running master of tpm2-tss (), tpm2-abrmd () and tpm2-tools () on Fedora 28.

Running the RM on the D-Bus system bus with the simulator TCTI, started as:

$ sudo -u tss /usr/local/sbin/tpm2-abrmd --allow-root --tcti=mssim

the RM crashes when tools try to connect:

$ ./tools/tpm2_pcrlist (process:9769): WARNING : 21:48:16.141: Failed to create connection with service: GDBus.Error:org.freedesktop.DBus.Error.NoReply: Message recipient disconnected from message bus without replying ERROR: tcti init allocation routine failed for library: "tabrmd" options: "(null)" ERROR: Could not load tcti, got: "tabrmd"

The journal records the following information about the crash:

Jun 28 21:48:26 localhost.localdomain systemd[1]: tpm2-abrmd.service: Main process exited, code=killed, status=5/TRAP Jun 28 21:48:26 localhost.localdomain systemd[1]: tpm2-abrmd.service: Failed with result 'signal'. Jun 28 21:48:26 localhost.localdomain audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=tpm2-abrmd comm="systemd" exe="/usr/lib/systemd/systemd" hostna> Jun 28 21:48:26 localhost.localdomain systemd-coredump[9937]: Process 9930 (tpm2-abrmd) of user 59 dumped core.

        Stack trace of thread 9931:
        #0  0x00007f21eff617e5 _g_log_abort (libglib-2.0.so.0)
        #1  0x00007f21eff628b1 g_log_default_handler (libglib-2.0.so.0)
        #2  0x00007f21eff62aff g_logv (libglib-2.0.so.0)
        #3  0x00007f21eff62cf3 g_log (libglib-2.0.so.0)
        #4  0x00000000004065c8 access_broker_get_tpm_properties_fixed (tpm2-abrmd)
        #5  0x0000000000406bcc access_broker_init_tpm (tpm2-abrmd)
        #6  0x0000000000405262 init_thread_func (tpm2-abrmd)
        #7  0x00007f21eff83f2a g_thread_proxy (libglib-2.0.so.0)
        #8  0x00007f21efaf3594 start_thread (libpthread.so.0)
        #9  0x00007f21ef82702f __clone (libc.so.6)

        Stack trace of thread 9935:
        #0  0x00007f21ef81c5a9 __poll (libc.so.6)
        #1  0x00007f21eff5bbe6 g_main_context_iterate.isra.21 (libglib-2.0.so.0)
        #2  0x00007f21eff5bfa2 g_main_loop_run (libglib-2.0.so.0)
        #3  0x00007f21f0f226ba gdbus_shared_thread_func (libgio-2.0.so.0)
        #4  0x00007f21eff83f2a g_thread_proxy (libglib-2.0.so.0)
        #5  0x00007f21efaf3594 start_thread (libpthread.so.0)
        #6  0x00007f21ef82702f __clone (libc.so.6)

        Stack trace of thread 9933:
        #0  0x00007f21ef821a39 syscall (libc.so.6)
        #1  0x00007f21effa26ee g_cond_wait_until (libglib-2.0.so.0)
        #2  0x00007f21eff2e0f1 g_async_queue_pop_intern_unlocked (libglib-2.0.so.0)
        #3  0x00007f21eff84a72 g_thread_pool_thread_proxy (libglib-2.0.so.0)
        #4  0x00007f21eff83f2a g_thread_proxy (libglib-2.0.so.0)
        #5  0x00007f21efaf3594 start_thread (libpthread.so.0)
        #6  0x00007f21ef82702f __clone (libc.so.6)

        Stack trace of thread 9934:
        #0  0x00007f21ef821a39 syscall (libc.so.6)
        #1  0x00007f21effa26ee g_cond_wait_until (libglib-2.0.so.0)
        #2  0x00007f21eff2e0f1 g_async_queue_pop_intern_unlocked (libglib-2.0.so.0)
        #3  0x00007f21eff84a72 g_thread_pool_thread_proxy (libglib-2.0.so.0)
        #4  0x00007f21eff83f2a g_thread_proxy (libglib-2.0.so.0)
        #5  0x00007f21efaf3594 start_thread (libpthread.so.0)
        #6  0x00007f21ef82702f __clone (libc.so.6)

        Stack trace of thread 9932:
        #0  0x00007f21ef81c5a9 __poll (libc.so.6)
        #1  0x00007f21eff5bbe6 g_main_context_iterate.isra.21 (libglib-2.0.so.0)
        #2  0x00007f21eff5bd10 g_main_context_iteration (libglib-2.0.so.0)
        #3  0x00007f21eff5bd61 glib_worker_main (libglib-2.0.so.0)
        #4  0x00007f21eff83f2a g_thread_proxy (libglib-2.0.so.0)
        #5  0x00007f21efaf3594 start_thread (libpthread.so.0)
        #6  0x00007f21ef82702f __clone (libc.so.6)

        Stack trace of thread 9930:
        #0  0x00007f21ef81c5a9 __poll (libc.so.6)
        #1  0x00007f21eff5bbe6 g_main_context_iterate.isra.21 (libglib-2.0.so.0)
        #2  0x00007f21eff5bfa2 g_main_loop_run (libglib-2.0.so.0)
        #3  0x0000000000404ed1 main (tpm2-abrmd)
        #4  0x00007f21ef75018b __libc_start_main (libc.so.6)
        #5  0x0000000000404fda _start (tpm2-abrmd)

[martinezjavier]

@joshuagl I think that's a known issue caused by SELinux, you can either set to permissive mode or install the SELinux policy module that's in the tpm2-abrmd repo.

I've been trying for at least 6 months now to get my package that ships the SELinux module approved in Fedora but didn't succeed so far...

[joshuagl]

The crash can't be reproduced when using the session bus, as below:

$ /usr/local/sbin/tpm2-abrmd --allow-root --session --dbus-name=com.intel.tss2.Tabrmd.device --tcti=mssim

$ export TPM2TOOLS_TCTI="abrmd:bus_type=session,bus_name=com.intel.tss2.Tabrmd.device"

$ ./tools/tpm2_pcrlist sha1: 0 : 0x0000000000000000000000000000000000000003 1 : 0x0000000000000000000000000000000000000000

[martinezjavier]

@joshuagl yes, I think it's the same issue. Did you try without SELinux in enforcing mode?

[joshuagl]

@martinezjavier timely knowledge, thanks. I'll try installing the SELinux policy. I probably did have SELinux in a non-enforcing mode on my previous install, which would explain why I haven't seen this before.

I'll work on a patch for INSTALL.md that mentions SELinux