Haveged with AppArmor issue on Upstart
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
haveged (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
If you install upstart-sysv the service haveged won't start anymore cause the apparmor profile is missing a rule for the PID file.
Aug 4 16:16:24 containertest1 kernel: [ 160.141325] audit: type=1400 audit(150185618
This problem can be fixed with add a line to the apparmor profile /etc/apparmor.
/run/haveged.pid rw,
Full version of profile:
-------
# Last Modified: Fri Aug 21 15:23:17 2015
#include <tunables/global>
/usr/sbin/haveged {
#include <abstractions/base>
# Required for ioctl RNDADDENTROPY
capability sys_admin,
owner @{PROC}
@{PROC}
@{PROC}
@{PROC}
/dev/random w,
/sys/
/sys/
/sys/
/usr/sbin/haveged mr,
/run/haveged.pid rw,
#include <local/
}
-------
You can reload the profile with a reboot or apparmor_parser -r /etc/apparmor.
I verified that my 16.04 system has upstart-sysv installed and that /var/log/syslog contains
haveged: haveged starting up 2.319:38) : apparmor="DENIED" operation="mknod" profile= "/usr/sbin/ haveged" name="/ run/haveged. pid" pid=15508 comm="haveged" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
kernel: [43612.894002] audit: type=1400 audit(154473184
so it looks like this hit me. I'm running ubuntu 16.04 with haveged 1.9.1-3.
Looking at ubuntu 18.04's haveged 1.9.1-6, I see it has a fix for a similar problem, https:/ /bugs.debian. org/cgi- bin/bugreport. cgi?bug= 824179 system/ haveged. service like so: systemd- random- seed.service apparmor. service systemd- random- seed.service
Applying that as a workaround by editing /lib/systemd/
-After=
+After=
seems to work.