Ubuntu
haveged package

Haveged with AppArmor issue on Upstart

Bug #1708674 reported by Automatic Server AG
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
haveged (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

If you install upstart-sysv the service haveged won't start anymore cause the apparmor profile is missing a rule for the PID file.

Aug 4 16:16:24 containertest1 kernel: [ 160.141325] audit: type=1400 audit(1501856184.508:120): apparmor="DENIED" operation="mknod" profile="/usr/sbin/haveged" name="/run/haveged.pid" pid=7628 comm="haveged" requested_mask="c" denied_mask="c" fsuid=0 ouid=0

This problem can be fixed with add a line to the apparmor profile /etc/apparmor.d/usr.sbin.haveged:

/run/haveged.pid rw,

Full version of profile:

----------------------------------------

# Last Modified: Fri Aug 21 15:23:17 2015
#include <tunables/global>

/usr/sbin/haveged {
  #include <abstractions/base>

  # Required for ioctl RNDADDENTROPY
  capability sys_admin,

  owner @{PROC}/@{pid}/status r,

  @{PROC}/sys/kernel/osrelease r,
  @{PROC}/sys/kernel/random/poolsize r,
  @{PROC}/sys/kernel/random/write_wakeup_threshold w,
  /dev/random w,

  /sys/devices/system/cpu/ r,
  /sys/devices/system/cpu/cpu*/cache/ r,
  /sys/devices/system/cpu/cpu*/cache/index*/{type,size,level} r,
  /usr/sbin/haveged mr,

  /run/haveged.pid rw,

  #include <local/usr.sbin.haveged>
}

--------------------------------------------

You can reload the profile with a reboot or apparmor_parser -r /etc/apparmor.d/usr.sbin.haveged

Revision history for this message
Dan Kegel (dank) wrote :

I verified that my 16.04 system has upstart-sysv installed and that /var/log/syslog contains

 haveged: haveged starting up
 kernel: [43612.894002] audit: type=1400 audit(1544731842.319:38): apparmor="DENIED" operation="mknod" profile="/usr/sbin/haveged" name="/run/haveged.pid" pid=15508 comm="haveged" requested_mask="c" denied_mask="c" fsuid=0 ouid=0

so it looks like this hit me. I'm running ubuntu 16.04 with haveged 1.9.1-3.

Looking at ubuntu 18.04's haveged 1.9.1-6, I see it has a fix for a similar problem, https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=824179
Applying that as a workaround by editing /lib/systemd/system/haveged.service like so:
-After=systemd-random-seed.service
+After=apparmor.service systemd-random-seed.service
seems to work.

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in haveged (Ubuntu):
status: New → Confirmed
Revision history for this message
Dan Kegel (dank) wrote :

Correction:
1) futzing with /lib/systemd/system/haveged.service doesn't help
2) strace -f shows that haveged is indeed failing because it can't write to /var/run
3) adding the line suggested in the original post to /etc/apparmor.d/usr.sbin.haveged works

I failed to try the single-line usr.sbin.haveged workaround originally because it looked scary, but on a second read it's very clear and easy. Applied it to all my ubu1604 boxes and rebooted, all are running haveged now.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.