Error when sqlite file is read-only

[imlibra]

When /etc/tpm2_pkcs11/tpm2_pkcs11.sqlite3.lock can not be created, it failed with error. So it’s impossible to use this library with other software (like Nginx) on a SELinux enabled environment.

I hope read-only option could be added.

-- Unit nginx.service has begun starting up.
Dec 10 08:18:47 imlibra-me nginx[134974]: ERROR: Could not open lock file "/etc/tpm2_pkcs11/tpm2_pkcs11.sqlite3.lock", error: Permission denied
Dec 10 08:18:47 imlibra-me nginx[134974]: Failed to enumerate slots
Dec 10 08:18:47 imlibra-me nginx[134974]: ERROR: Could not open lock file "/etc/tpm2_pkcs11/tpm2_pkcs11.sqlite3.lock", error: Permission denied
Dec 10 08:18:47 imlibra-me nginx[134974]: Failed to enumerate slots
Dec 10 08:18:47 imlibra-me nginx[134974]: PKCS11_get_private_key returned NULL
Dec 10 08:18:47 imlibra-me nginx[134974]: nginx: [emerg] ENGINE_load_private_key("pkcs11:model=vTPM;manufacturer=GOOG;serial=0000000000000000;token=token1;type=private;object=keylabel1?pin-value=123456") failed (SSL: error:80067065:pkcs11 engine:ctx_load_privkey:object not found error:26096080:engine routines:ENGINE_load_private_key:failed loading private key)
Dec 10 08:18:47 imlibra-me nginx[134974]: nginx: configuration file /etc/nginx/nginx.conf test failed
Dec 10 08:18:47 imlibra-me systemd[1]: nginx.service: Control process exited, code=exited status=1
Dec 10 08:18:47 imlibra-me systemd[1]: nginx.service: Failed with result 'exit-code'.

[williamcroberts]

You can use env variable PKCS11_SQL_LOCK to send it to a different file system, would that work for now?

Related to #756