subject:"Bug#911604\\\\\\\: haveged start up fails due to apparmor denying write access to \\\\\\\/run\\\\\\\/haveged.pid"

Bug#911604: haveged start up fails due to apparmor denying write access to /run/haveged.pid

2019-07-15 Thread Cyril Brulebois

Hi Justin,

(I'm adding back others in cc as the Debian BTS doesn't Cc people by
default.)

Justin Pasher  (2019-07-15):
> > From: Cyril Brulebois 
> >
> > But I'd be very happy to have success reports from sysvinit users
> > before considering backporting this to buster.
> 
> I use sysvinit. I've installed the 1.9.1-8 version of the package, and it
> seems to work properly for me. For reference, I did the following test:
> 
> 1. Blank out /etc/apparmor.d/local/usr.sbin.haveged to remove my added line
> 2. /etc/init.d/haveged stop
> 3. aa-enforce /usr/sbin/haveged
> 4. /etc/init.d/haveged start  --  It failed to start (as expected)
> 5. Update to haveged=1.9.1-8
> 6. Verify haveged has started (the post install scripts take care of
> apparmor and starting the process)
> 7. Verify /etc/apparmor.d/local/usr.sbin.haveged is still blank
> 8. Reboot and verify haveged still starts up properly
> 
> Thanks for the quick turn around!

Many thanks for the confirmation.

Meanwhile, I've confirmed with apparmor maintainers that the patch looks
good in theory as well, so having your confirmation that it works on the
practical level too means I'm well equipped to prepare the backport
dance. :)


Cheers,
-- 
Cyril Brulebois (k...@debian.org)
D-I release manager -- Release team member -- Freelance Consultant


signature.asc
Description: PGP signature

Bug#911604: haveged start up fails due to apparmor denying write access to /run/haveged.pid

2019-07-15 Thread Justin Pasher


- Original Message -
> From: Cyril Brulebois 
> Date: Friday, July 12, 2019 06:45:08 PM CDT
> Subject: Re: Bug#911604: haveged start up fails due to apparmor 
denying write access to /run/haveged.pid

> To: Axel Beckert , 911604 <911...@bugs.debian.org>
> CC: Gert , Dean Hamstead , Justin 
Pasher 

>

Everyone: please deploy -8 (just uploaded) to your buster and/or
unstable systems and report back. I've tested this on a stretch system
that's running with systemd, using the daemon directly, or a hacked up
init script to make sure I was evading the initscript→systemd machinery
through LSB functions; and everything looks good with the patch.

But I'd be very happy to have success reports from sysvinit users before
considering backporting this to buster.


Cheers,



Hello,

I use sysvinit. I've installed the 1.9.1-8 version of the package, and 
it seems to work properly for me. For reference, I did the following test:


1. Blank out /etc/apparmor.d/local/usr.sbin.haveged to remove my added line
2. /etc/init.d/haveged stop
3. aa-enforce /usr/sbin/haveged
4. /etc/init.d/haveged start  --  It failed to start (as expected)
5. Update to haveged=1.9.1-8
6. Verify haveged has started (the post install scripts take care of 
apparmor and starting the process)

7. Verify /etc/apparmor.d/local/usr.sbin.haveged is still blank
8. Reboot and verify haveged still starts up properly

Thanks for the quick turn around!

Justin Pasher

Bug#911604: haveged start up fails due to apparmor denying write access to /run/haveged.pid

2019-07-12 Thread Cyril Brulebois

Control: tag -1 patch pending

Hi,

Axel Beckert  (2018-10-22):
> haveged silently fails to start on one of my machines, seemingly due
> to apparmor. From /var/log/syslog after unsucessfully trying to start
> haveged:
> 
> Oct 22 15:40:26 someone haveged: haveged starting up
> Oct 22 15:40:26 someone kernel: [24678702.682596] audit: type=1400 
> audit(1540215626.982:65757): apparmor="DENIED" operation="mknod" 
> profile="/usr/sbin/haveged" name="/run/haveged.pid" pid=7421 comm="haveged" 
> requested_mask="c" denied_mask="c" fsuid=0 ouid=0
> 
> What helped was adding the line
> 
>   /run/haveged.pid w,
> 
> to /etc/apparmor.d/local/usr.sbin.haveged, so you should probably add
> that line to /etc/apparmor.d/usr.sbin.haveged.

Everyone: please deploy -8 (just uploaded) to your buster and/or
unstable systems and report back. I've tested this on a stretch system
that's running with systemd, using the daemon directly, or a hacked up
init script to make sure I was evading the initscript→systemd machinery
through LSB functions; and everything looks good with the patch.

But I'd be very happy to have success reports from sysvinit users before
considering backporting this to buster.


Cheers,
-- 
Cyril Brulebois (k...@debian.org)
D-I release manager -- Release team member -- Freelance Consultant


signature.asc
Description: PGP signature

Bug#911604: haveged start up fails due to apparmor denying write access to /run/haveged.pid

2019-07-12 Thread Justin Pasher

The fix below worked for me too. However, this means the error is still 
present in the buster version of the haveged package. I think it's a 
little more important to get this fixed, as the Buster release notes 
explicitly suggest using haveged as a possible means of improving the 
RNG entropy on first boot to avoid unnecessary boot delays. Without it, 
people will install haveged and either not notice that it fails to 
start, wonder why it refuses to start, or wonder why they are still 
getting boot delays.

It seems like a pretty trivial patch without any adverse side effects.

Justin Pasher

On Mon, 22 Oct 2018 16:01:51 +0200 Axel Beckert  wrote:
> Package: haveged
> Version: 1.9.1-6
> Severity: important
> Tags: patch
>
> Hi,
>
> haveged silently fails to start on one of my machines, seemingly due
> to apparmor. From /var/log/syslog after unsucessfully trying to start
> haveged:
>
> Oct 22 15:40:26 someone haveged: haveged starting up
> Oct 22 15:40:26 someone kernel: [24678702.682596] audit: type=1400 
audit(1540215626.982:65757): apparmor="DENIED" operation="mknod" 
profile="/usr/sbin/haveged" name="/run/haveged.pid" pid=7421 
comm="haveged" requested_mask="c" denied_mask="c" fsuid=0 ouid=0

>
> What helped was adding the line
>
> /run/haveged.pid w,
>
> to /etc/apparmor.d/local/usr.sbin.haveged, so you should probably add
> that line to /etc/apparmor.d/usr.sbin.haveged.

Bug#911604: haveged start up fails due to apparmor denying write access to /run/haveged.pid

2019-02-04 Thread Dean Hamstead


I have having the same issue with sysvinit-core

On Sat, 1 Dec 2018 23:56:10 +0100 Gert  wrote:

> > What helped was adding the line
> > /run/haveged.pid w,
> > to /etc/apparmor.d/local/usr.sbin.haveged
>
> That works, thank you.
> FWIW, I did not have this problem when I used systemd as init.
> I just switched to openrc-init, and then I did.
> I don't know why that would make a difference.
>
> Buster, i386, /bin/sh -> dash, init=/sbin/openrc-init
> haveged 1.9.1-6
> init-system-helpers 1.56
> initscripts 2.92~beta-2
> libc6:i386 2.27-8
> libhavege1:i386 1.9.1-6
> linux-image-4.18.0-2-686-pae 4.18.10-2+b1
> lsb-base 9.20170808
> apparmor-profiles 2.13.1-3
> openrc 0.39-1
> initscripts 2.92~beta-2
>
>

Bug#911604: haveged start up fails due to apparmor denying write access to /run/haveged.pid

2018-12-01 Thread Gert


What helped was adding the line
  /run/haveged.pid w,
to /etc/apparmor.d/local/usr.sbin.haveged


That works, thank you.
FWIW, I did not have this problem when I used systemd as init.
I just switched to openrc-init, and then I did.
I don't know why that would make a difference.

Buster, i386, /bin/sh -> dash, init=/sbin/openrc-init
haveged 1.9.1-6
init-system-helpers 1.56
initscripts 2.92~beta-2
libc6:i386  2.27-8
libhavege1:i386 1.9.1-6
linux-image-4.18.0-2-686-pae4.18.10-2+b1
lsb-base9.20170808
apparmor-profiles   2.13.1-3
openrc  0.39-1
initscripts 2.92~beta-2

Bug#911604: haveged start up fails due to apparmor denying write access to /run/haveged.pid

2018-10-22 Thread Axel Beckert

Package: haveged
Version: 1.9.1-6
Severity: important
Tags: patch

Hi,

haveged silently fails to start on one of my machines, seemingly due
to apparmor. From /var/log/syslog after unsucessfully trying to start
haveged:

Oct 22 15:40:26 someone haveged: haveged starting up
Oct 22 15:40:26 someone kernel: [24678702.682596] audit: type=1400 
audit(1540215626.982:65757): apparmor="DENIED" operation="mknod" 
profile="/usr/sbin/haveged" name="/run/haveged.pid" pid=7421 comm="haveged" 
requested_mask="c" denied_mask="c" fsuid=0 ouid=0

What helped was adding the line

  /run/haveged.pid w,

to /etc/apparmor.d/local/usr.sbin.haveged, so you should probably add
that line to /etc/apparmor.d/usr.sbin.haveged.

-- System Information:
Debian Release: buster/sid
  APT prefers testing-debug
  APT policy: (500, 'testing-debug'), (500, 'testing'), (300, 'unstable'), 
(299, 'unstable-debug'), (210, 'experimental'), (209, 'experimental-debug'), 
(110, 'buildd-unstable'), (105, 'buildd-experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.14.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_DK.UTF-8, LC_CTYPE=en_DK.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_DK.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
LSM: AppArmor: enabled

Versions of packages haveged depends on:
ii  init-system-helpers  1.54
ii  libc62.27-6
ii  libhavege1   1.9.1-6
ii  lsb-base 9.20170808

haveged recommends no packages.

Versions of packages haveged suggests:
ii  apparmor  2.13-8

-- no debconf information

Bug#911604: haveged start up fails due to apparmor denying write access to /run/haveged.pid

Bug#911604: haveged start up fails due to apparmor denying write access to /run/haveged.pid

Bug#911604: haveged start up fails due to apparmor denying write access to /run/haveged.pid

Bug#911604: haveged start up fails due to apparmor denying write access to /run/haveged.pid

Bug#911604: haveged start up fails due to apparmor denying write access to /run/haveged.pid

Bug#911604: haveged start up fails due to apparmor denying write access to /run/haveged.pid

Bug#911604: haveged start up fails due to apparmor denying write access to /run/haveged.pid

7 matches

Site Navigation

Mail list logo

Footer information