-
Notifications
You must be signed in to change notification settings - Fork 98
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
tpm2-abrmd failed to work on RHEL7/CentOS7 since 1.2.0 #408
Comments
Last I heard RHEL had supported packages for all of the TSS2 bits. Does this include tabrmd? If so do the packages work? There are two good hints in your bug report though:
Typically this means that there is a permission problem with the dbus config and the user associated with the daemon doesn't have permission to claim the name. But this is equally likely to be a problem with SELinux permissions given the first hint above. I'd recommend:
|
The tpm2-abrmd version packaged in RHEL was 1.1.0. So looks I don't need to try it. And I just tried to set SELinux enforcing to Permissive, and run the reproducing steps, things work. So looks like it is really a SELinux related issue. So I will have a try on SELinux suggestion you mentioned. |
I tried, but failed. The steps I tried:
I can't get something like below:
What's wrong with my steps? @flihp |
It looks like the SELinux policy is building so that's good. There is a file context rule for Two things to check:
|
@martinezjavier may have some good insight here as well |
Sorry for not responding to this issue before, was on holidays for a couple of days. @gwei3, I'll refer to Fedora since that's where I (co)maintain the tpm2-software packages. But what I say should also apply to RHEL and CentOS. As @flihp points out, this is a known issue related to the commit you found doing the bisect, the tpm2-abmrd can't run in an unconfined SELinux domain anymore and needs a SELinux policy module as he mentioned. A SELinux policy module that makes it work was added in commit b11194d ("SELinux: Add policy module for tabrmd."), but that wasn't suitable for Fedora so I couldn't update the tpm2-abrmd package to the 1.2.0 release. The SELinux was recently fixed on commit d2d1d07 ("[SELinux] Remove gen_require part from tpm-abrmd2 policy.") and that made it to tpm2-abrmd 1.3.0, but that release happened after the Fedora 28 freeze so it was too late. I hope to have it on Fedora 29 though. There are two ways to have a SELinux policy module on Fedora, by adding it to the system wide selinux-policy package or to ship as an independent package as explained in the Fedora wiki. I've done the latter and proposed a tpm2-abrmd-selinux package for review. Once that's added, I can update the tpm2-abrmd package to 1.3.0. So I would suggest to stick with the packages and versions that are included in the distro. Now if you want to use the latest and built from source, then I think that the problem is what @flihp mentions, that the AV rules have the binary paths hardcoded and maybe you installed in a different place. There's an open issue #255 (SELinux builds with hand written Makefile) to integrate this into the autotools machinery so it doesn't have hardcoded stuff, but nobody had time to work on this yet. Can you please share the configure options you use to build and also the output of |
Anything wrong above? |
The issue might be that the tpm2-abrmd was not started by systemd. So I tried to reconfigure it and rebuild as below:
Then as root:
I suspected that this might caused by the socket connection between tpm2-abrmd and the simulator, then I tried set Permissive and tried again:
This time I can see correct label for the running tpm2-abrmd. So, as a summary, we need to make tpm_server binary in the same domain or set selinux in Permissive mode to start tpm2-abrmd by systemd, then the tpm2-abrmd process can have the right running status as expected. I should have a try with tpm2-abrmd connect to the device see whether it will work without set selinux as Permissive mode. |
To use tpm device, some observations:
|
The tpm2-abrmd ships a udev rule for this. Probably we should do something like the following on install:
BTW, the udev rules should really be part of tpm2-tss and not the tpm2-abrmd, I've filled an issue for that (Move udev rules to tpm2-tss #412). We currently install it on Fedora as a part of the tpm2-tss package and not in tpm2-abrmd. |
Yeh, let me close it. Thanks for the information provided in this issue context. |
Reproduce steps:
start up tpm2-abrmd on simulator with log enabled, run below command line or tpm2_getrandom 8:
And the tpm2-abrmd will exit with log as below:
With bisect, i found if I check out commit ea0636e, similar result. But if I revert commit 51a3c55, then things became working.
51a3c55 started to replace pipes with local socket, I am not able to figure out the root cause why it breaks tpm2-abrmd on RHEL/CentOS7.
@flihp Help...
The text was updated successfully, but these errors were encountered: