and now the daemon starts. The change of ownership of /var/lib/tpm should however be done by the package postinst script, and the change of ownership on the tpm device via udev; a permissions check should still be added to the init script, and maybe some 'form' of temporary remediation too
as a temporary workaround, I hacked trousers' init script:
start)
log_daemon_ msg "Starting $DESC" "$NAME"
if [ ! -e /dev/tpm* ]
then
log_ warning_ msg "device driver not loaded, skipping."
exit 0
chown tss:tss /dev/tpm*
chown -R tss:tss /var/lib/tpm
start- stop-daemon --start --quiet --oknodo --pidfile /var/run/ ${NAME} .pid --user ${USER} --chuid ${USER} --exec ${DAEMON} -- ${DAEMON_OPTS}
RETVAL= "$?"
log_end_ msg $RETVAL ${NAME} .pid
exit $RETVAL
fi
[ "$RETVAL" = 0 ] && pidof $DAEMON > /var/run/
;;
I simply added:
and now the daemon starts. The change of ownership of /var/lib/tpm should however be done by the package postinst script, and the change of ownership on the tpm device via udev; a permissions check should still be added to the init script, and maybe some 'form' of temporary remediation too