Devuan bug report logs - #316
Package 'haveged' wont start on Devuan Beowulf due to broken PID file specification

Package: haveged; Reported by: Mike Tubby <mike@tubby.org>; dated Fri, 12 Apr 2019 21:48:01 UTC; Maintainer for haveged is (unknown).


Message received at submit@bugs.devuan.org:


Received: (at submit) by bugs.devuan.org; 12 Apr 2019 21:40:07 +0000
To: submit@bugs.devuan.org
From: Mike Tubby <mike@tubby.org>
Subject: Package 'haveged' wont start on Devuan Beowulf due to broken PID file
Date: Fri, 12 Apr 2019 22:37:29 +0100

This is a multi-part message in MIME format.
--------------759921CCF242D01BAEF80700
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit

Package: haveged
Version: 1.9.1-6

Dell R210-II servers upgraded to Beowulf on 12th April 2019, now package 
'haveged' (entropy daemon) fails to start:
     a) at boot
     b) via 'service haveged start'
     c) from the command line, if the PID file is specified

All attempts at running haveged result in an apparmor/audit as follows:

Apr 12 21:54:41 ns0 kernel: [ 4684.518633] audit: type=1400 
audit(1555102481.459:19): apparmor="DENIED" operation="mknod" 
profile="/usr/sbin/haveged" *name="/run/haveged.pid"* pid=9474 
comm="haveged" requested_mask="c" denied_mask="c" fsuid=0 ouid=0

With apparmor suggesting that haveged is being refused permission for 
haveged to make a node, for the pid file


Stopping apparmor with 'aa-teardown' allows haveged to start as expected:

root@ns0:/etc/apparmor.d/local# aa-teardown
Unloading AppArmor profiles
root@ns0:/etc/apparmor.d/local# service haveged restart
[ ok ] Restarting entropy daemon: haveged.
root@ns0:/etc/apparmor.d/local# ps ax | grep haveged
  9741 ?        Ss     0:00 /usr/sbin/haveged -w 1024
  9761 pts/0    S+     0:00 grep haveged
root@ns0:/etc/apparmor.d/local#

Haveged is documented as using the path /var/run/haveged.pid by default 
and not /run/haveged.pid.  Checking the binary with 'strings' confirms this:

root@ns0:/etc/apparmor.d/local# strings /usr/sbin/haveged | grep pid
getpid
pidfile
/var/run/haveged.pid
daemon pidfile, default: /var/run/haveged.pid
root@ns0:/etc/apparmor.d/local#


Adding an entry to /etc/apparmor.d/local/usr.sbin.haveged as follows:

root@ns0:/etc/apparmor.d/local# cat usr.sbin.haveged
# Site-specific additions and overrides for usr.sbin.haveged.
# For more details, please see /etc/apparmor.d/local/README.

/var/run/haveged.pid rw,
/run/haveged.pid rw,

Allows haveged to work as expected.


Clearly something with haveged and/or apparmor is broken here...


Mike



--------------759921CCF242D01BAEF80700
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: 8bit

<html>
  <head>

    <meta http-equiv="content-type" content="text/html; charset=UTF-8">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    Package: haveged<br>
    Version: 1.9.1-6<br>
    <br>
    Dell R210-II servers upgraded to Beowulf on 12th April 2019, now
    package 'haveged' (entropy daemon) fails to start:<br>
        a) at boot<br>
        b) via 'service haveged start'<br>
        c) from the command line, if the PID file is specified<br>
    <br>
    <p>All attempts at running haveged result in an apparmor/audit as
      follows:</p>
    <p><tt>Apr 12 21:54:41 ns0 kernel: [ 4684.518633] audit: type=1400
        audit(1555102481.459:19): apparmor="DENIED" operation="mknod"
        profile="/usr/sbin/haveged" <b><font color="#ff0000">name="/run/haveged.pid"</font></b>
        pid=9474 comm="haveged" requested_mask="c" denied_mask="c"
        fsuid=0 ouid=0</tt><br>
      <br>
    </p>
    <p>With apparmor suggesting that haveged is being refused permission
      for haveged to make a node, for the pid file<br>
    </p>
    <p><br>
    </p>
    <p>Stopping apparmor with 'aa-teardown' allows haveged to start as
      expected:</p>
    <p><tt><a class="moz-txt-link-abbreviated" href="mailto:root@ns0:/etc/apparmor.d/local#">root@ns0:/etc/apparmor.d/local#</a> aa-teardown</tt><tt><br>
      </tt><tt>Unloading AppArmor profiles</tt><tt><br>
      </tt><tt><a class="moz-txt-link-abbreviated" href="mailto:root@ns0:/etc/apparmor.d/local#">root@ns0:/etc/apparmor.d/local#</a> service haveged restart</tt><tt><br>
      </tt><tt>[ ok ] Restarting entropy daemon: haveged.</tt><tt><br>
      </tt><tt><a class="moz-txt-link-abbreviated" href="mailto:root@ns0:/etc/apparmor.d/local#">root@ns0:/etc/apparmor.d/local#</a> ps ax | grep haveged</tt><tt><br>
      </tt><tt> 9741 ?        Ss     0:00 /usr/sbin/haveged -w 1024</tt><tt><br>
      </tt><tt> 9761 pts/0    S+     0:00 grep haveged</tt><tt><br>
      </tt><tt><a class="moz-txt-link-abbreviated" href="mailto:root@ns0:/etc/apparmor.d/local#">root@ns0:/etc/apparmor.d/local#</a></tt><br>
      <br>
    </p>
    <p>Haveged is documented as using the path /var/run/haveged.pid by
      default and not /run/haveged.pid.  Checking the binary with
      'strings' confirms this:<br>
    </p>
    <p><tt><a class="moz-txt-link-abbreviated" href="mailto:root@ns0:/etc/apparmor.d/local#">root@ns0:/etc/apparmor.d/local#</a> strings /usr/sbin/haveged |
        grep pid</tt><tt><br>
      </tt><tt>getpid</tt><tt><br>
      </tt><tt>pidfile</tt><tt><br>
      </tt><tt>/var/run/haveged.pid</tt><tt><br>
      </tt><tt>daemon pidfile, default: /var/run/haveged.pid</tt><tt><br>
      </tt><tt><a class="moz-txt-link-abbreviated" href="mailto:root@ns0:/etc/apparmor.d/local#">root@ns0:/etc/apparmor.d/local#</a></tt><br>
    </p>
    <p><br>
    </p>
    <p>Adding an entry to /etc/apparmor.d/local/usr.sbin.haveged as
      follows:</p>
    <p><tt><a class="moz-txt-link-abbreviated" href="mailto:root@ns0:/etc/apparmor.d/local#">root@ns0:/etc/apparmor.d/local#</a> cat usr.sbin.haveged</tt><tt><br>
      </tt><tt># Site-specific additions and overrides for
        usr.sbin.haveged.</tt><tt><br>
      </tt><tt># For more details, please see
        /etc/apparmor.d/local/README.</tt><tt><br>
      </tt><tt><br>
      </tt><tt>/var/run/haveged.pid rw,</tt><tt><br>
      </tt><tt>/run/haveged.pid rw,</tt><br>
      <br>
    </p>
    <p>Allows haveged to work as expected.</p>
    <p><br>
    </p>
    <p>Clearly something with haveged and/or apparmor is broken here...</p>
    <p><br>
    </p>
    <p>Mike</p>
    <p><br>
    </p>
  </body>
</html>

--------------759921CCF242D01BAEF80700--


Acknowledgement sent to Mike Tubby <mike@tubby.org>:
New bug report received and forwarded. Copy sent to owner@bugs.devuan.org. Full text available.


Report forwarded to devuan-bugs@lists.dyne.org, owner@bugs.devuan.org:
bug#316; Package haveged. Full text available.


Devuan BTS -- Powered by Debian bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.

Devuan Bugs Owner <owner@bugs.devuan.org>.
Last modified: Tue, 18 Jun 2019 06:39:01 UTC