Discussion:
Bug#911604: haveged start up fails due to apparmor denying write access to /run/haveged.pid
(too old to reply)
Axel Beckert
2018-10-22 14:10:01 UTC
Permalink
Package: haveged
Version: 1.9.1-6
Severity: important
Tags: patch

Hi,

haveged silently fails to start on one of my machines, seemingly due
to apparmor. From /var/log/syslog after unsucessfully trying to start
haveged:

Oct 22 15:40:26 someone haveged: haveged starting up
Oct 22 15:40:26 someone kernel: [24678702.682596] audit: type=1400 audit(1540215626.982:65757): apparmor="DENIED" operation="mknod" profile="/usr/sbin/haveged" name="/run/haveged.pid" pid=7421 comm="haveged" requested_mask="c" denied_mask="c" fsuid=0 ouid=0

What helped was adding the line

/run/haveged.pid w,

to /etc/apparmor.d/local/usr.sbin.haveged, so you should probably add
that line to /etc/apparmor.d/usr.sbin.haveged.

-- System Information:
Debian Release: buster/sid
APT prefers testing-debug
APT policy: (500, 'testing-debug'), (500, 'testing'), (300, 'unstable'), (299, 'unstable-debug'), (210, 'experimental'), (209, 'experimental-debug'), (110, 'buildd-unstable'), (105, 'buildd-experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.14.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_DK.UTF-8, LC_CTYPE=en_DK.UTF-8 (charmap=UTF-8), LANGUAGE=en_DK.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
LSM: AppArmor: enabled

Versions of packages haveged depends on:
ii init-system-helpers 1.54
ii libc6 2.27-6
ii libhavege1 1.9.1-6
ii lsb-base 9.20170808

haveged recommends no packages.

Versions of packages haveged suggests:
ii apparmor 2.13-8

-- no debconf information
Gert
2018-12-01 23:00:02 UTC
Permalink
Post by Axel Beckert
What helped was adding the line
/run/haveged.pid w,
to /etc/apparmor.d/local/usr.sbin.haveged
That works, thank you.
FWIW, I did not have this problem when I used systemd as init.
I just switched to openrc-init, and then I did.
I don't know why that would make a difference.

Buster, i386, /bin/sh -> dash, init=/sbin/openrc-init
haveged 1.9.1-6
init-system-helpers 1.56
initscripts 2.92~beta-2
libc6:i386 2.27-8
libhavege1:i386 1.9.1-6
linux-image-4.18.0-2-686-pae 4.18.10-2+b1
lsb-base 9.20170808
apparmor-profiles 2.13.1-3
openrc 0.39-1
initscripts 2.92~beta-2
Dean Hamstead
2019-02-04 13:40:01 UTC
Permalink
I have having the same issue with sysvinit-core
Post by Gert
Post by Axel Beckert
What helped was adding the line
/run/haveged.pid w,
to /etc/apparmor.d/local/usr.sbin.haveged
That works, thank you.
FWIW, I did not have this problem when I used systemd as init.
I just switched to openrc-init, and then I did.
I don't know why that would make a difference.
Buster, i386, /bin/sh -> dash, init=/sbin/openrc-init
haveged 1.9.1-6
init-system-helpers 1.56
initscripts 2.92~beta-2
libc6:i386 2.27-8
libhavege1:i386 1.9.1-6
linux-image-4.18.0-2-686-pae 4.18.10-2+b1
lsb-base 9.20170808
apparmor-profiles 2.13.1-3
openrc 0.39-1
initscripts 2.92~beta-2
Justin Pasher
2019-07-12 22:00:02 UTC
Permalink
The fix below worked for me too. However, this means the error is still
present in the buster version of the haveged package. I think it's a
little more important to get this fixed, as the Buster release notes
explicitly suggest using haveged as a possible means of improving the
RNG entropy on first boot to avoid unnecessary boot delays. Without it,
people will install haveged and either not notice that it fails to
start, wonder why it refuses to start, or wonder why they are still
getting boot delays.

It seems like a pretty trivial patch without any adverse side effects.

Justin Pasher
Post by Axel Beckert
Package: haveged
Version: 1.9.1-6
Severity: important
Tags: patch
Hi,
haveged silently fails to start on one of my machines, seemingly due
to apparmor. From /var/log/syslog after unsucessfully trying to start
Oct 22 15:40:26 someone haveged: haveged starting up
Oct 22 15:40:26 someone kernel: [24678702.682596] audit: type=1400
audit(1540215626.982:65757): apparmor="DENIED" operation="mknod"
profile="/usr/sbin/haveged" name="/run/haveged.pid" pid=7421
comm="haveged" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
Post by Axel Beckert
What helped was adding the line
/run/haveged.pid w,
to /etc/apparmor.d/local/usr.sbin.haveged, so you should probably add
that line to /etc/apparmor.d/usr.sbin.haveged.
Cyril Brulebois
2019-07-12 23:50:02 UTC
Permalink
Control: tag -1 patch pending

Hi,
Post by Axel Beckert
haveged silently fails to start on one of my machines, seemingly due
to apparmor. From /var/log/syslog after unsucessfully trying to start
Oct 22 15:40:26 someone haveged: haveged starting up
Oct 22 15:40:26 someone kernel: [24678702.682596] audit: type=1400 audit(1540215626.982:65757): apparmor="DENIED" operation="mknod" profile="/usr/sbin/haveged" name="/run/haveged.pid" pid=7421 comm="haveged" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
What helped was adding the line
/run/haveged.pid w,
to /etc/apparmor.d/local/usr.sbin.haveged, so you should probably add
that line to /etc/apparmor.d/usr.sbin.haveged.
Everyone: please deploy -8 (just uploaded) to your buster and/or
unstable systems and report back. I've tested this on a stretch system
that's running with systemd, using the daemon directly, or a hacked up
init script to make sure I was evading the initscript→systemd machinery
through LSB functions; and everything looks good with the patch.

But I'd be very happy to have success reports from sysvinit users before
considering backporting this to buster.


Cheers,
--
Cyril Brulebois (***@debian.org) <https://debamax.com/>
D-I release manager -- Release team member -- Freelance Consultant
Justin Pasher
2019-07-15 18:20:01 UTC
Permalink
----- Original Message -----
 Date: Friday, July 12, 2019 06:45:08 PM CDT
 Subject: Re: Bug#911604: haveged start up fails due to apparmor
denying write access to /run/haveged.pid
Everyone: please deploy -8 (just uploaded) to your buster and/or
unstable systems and report back. I've tested this on a stretch system
that's running with systemd, using the daemon directly, or a hacked up
init script to make sure I was evading the initscript→systemd machinery
through LSB functions; and everything looks good with the patch.
But I'd be very happy to have success reports from sysvinit users before
considering backporting this to buster.
Cheers,
Hello,

I use sysvinit. I've installed the 1.9.1-8 version of the package, and
it seems to work properly for me. For reference, I did the following test:

1. Blank out /etc/apparmor.d/local/usr.sbin.haveged to remove my added line
2. /etc/init.d/haveged stop
3. aa-enforce /usr/sbin/haveged
4. /etc/init.d/haveged start  --  It failed to start (as expected)
5. Update to haveged=1.9.1-8
6. Verify haveged has started (the post install scripts take care of
apparmor and starting the process)
7. Verify /etc/apparmor.d/local/usr.sbin.haveged is still blank
8. Reboot and verify haveged still starts up properly

Thanks for the quick turn around!

Justin Pasher
Cyril Brulebois
2019-07-15 21:30:01 UTC
Permalink
Hi Justin,

(I'm adding back others in cc as the Debian BTS doesn't Cc people by
default.)
Post by Cyril Brulebois
But I'd be very happy to have success reports from sysvinit users
before considering backporting this to buster.
I use sysvinit. I've installed the 1.9.1-8 version of the package, and it
1. Blank out /etc/apparmor.d/local/usr.sbin.haveged to remove my added line
2. /etc/init.d/haveged stop
3. aa-enforce /usr/sbin/haveged
4. /etc/init.d/haveged start  --  It failed to start (as expected)
5. Update to haveged=1.9.1-8
6. Verify haveged has started (the post install scripts take care of
apparmor and starting the process)
7. Verify /etc/apparmor.d/local/usr.sbin.haveged is still blank
8. Reboot and verify haveged still starts up properly
Thanks for the quick turn around!
Many thanks for the confirmation.

Meanwhile, I've confirmed with apparmor maintainers that the patch looks
good in theory as well, so having your confirmation that it works on the
practical level too means I'm well equipped to prepare the backport
dance. :)


Cheers,
--
Cyril Brulebois (***@debian.org) <https://debamax.com/>
D-I release manager -- Release team member -- Freelance Consultant
Loading...