The officially official Devuan Forum!

You are not logged in.

#1 2021-02-22 13:34:52

Altoid
Member
Registered: 2017-05-07
Posts: 565  

Heads up: haveged denied starting by apparmor in Beowulf

Hello:

As I do every so often, I was trawling through my dmesg output to see if everything was running kosher and came across a few lines involving apparmor.

groucho@devuan:~$ uname -a
Linux devuan 4.19.0-14-amd64 #1 SMP Debian 4.19.171-2 (2021-01-30) x86_64 GNU/Linux
groucho@devuan:~$ 
groucho@devuan:~$ apt list | grep installed | grep apparmor
--- snip ---
apparmor/stable,now 2.13.2-10 amd64 [installed,automatic]
libapparmor1/stable,now 2.13.2-10 amd64 [installed]
groucho@devuan:~$ 
groucho@devuan:~$ sudo dmesg | grep apparmor
[   25.573821] audit: type=1400 audit(1613992734.879:2): apparmor="STATUS" operation="profile_load" profile="unconfined" name="libreoffice-senddoc" pid=1413 comm="apparmor_parser"
[   25.602109] audit: type=1400 audit(1613992734.879:3): apparmor="STATUS" operation="profile_load" profile="unconfined" name="libreoffice-oopslash" pid=1416 comm="apparmor_parser"
[   25.630152] audit: type=1400 audit(1613992734.879:4): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/bin/man" pid=1414 comm="apparmor_parser"
[   25.656608] audit: type=1400 audit(1613992734.879:5): apparmor="STATUS" operation="profile_load" profile="unconfined" name="man_filter" pid=1414 comm="apparmor_parser"
[   25.656609] audit: type=1400 audit(1613992734.879:6): apparmor="STATUS" operation="profile_load" profile="unconfined" name="man_groff" pid=1414 comm="apparmor_parser"
[   25.656611] audit: type=1400 audit(1613992734.879:7): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/sbin/haveged" pid=1419 comm="apparmor_parser"
[   25.656612] audit: type=1400 audit(1613992734.879:8): apparmor="STATUS" operation="profile_load" profile="unconfined" name="libreoffice-xpdfimport" pid=1420 comm="apparmor_parser"
[   25.656613] audit: type=1400 audit(1613992734.879:9): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/cups/backend/cups-pdf" pid=1417 comm="apparmor_parser"
[   25.656616] audit: type=1400 audit(1613992734.879:10): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/sbin/cupsd" pid=1417 comm="apparmor_parser"
[   25.857783] audit: type=1400 audit(1613992734.879:11): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/sbin/cupsd//third_party" pid=1417 comm="apparmor_parser"
[   38.103239] audit: type=1400 audit(1613992747.407:16): apparmor="DENIED" operation="mknod" profile="/usr/sbin/haveged" name="/run/haveged.pid" pid=2516 comm="haveged" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
[ 2040.598275] audit: type=1400 audit(1613994749.903:17): apparmor="ALLOWED" operation="file_mmap" profile="libreoffice-soffice" name="/tmp/.glRDlerP" pid=8590 comm="soffice.bin" requested_mask="m" denied_mask="m" fsuid=1000 ouid=1000
[ 2040.905923] audit: type=1400 audit(1613994750.211:18): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/home/groucho/.icons/default/index.theme" pid=8589 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
[ 2040.906026] audit: type=1400 audit(1613994750.211:19): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/home/groucho/.icons/default/index.theme" pid=8589 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
[ 2040.906121] audit: type=1400 audit(1613994750.211:20): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/home/groucho/.icons/default/index.theme" pid=8589 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
[ 2040.906212] audit: type=1400 audit(1613994750.211:21): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/home/groucho/.icons/default/index.theme" pid=8589 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
groucho@devuan:~$ 

The one that caught my eye was this one:

[   38.103239] audit: type=1400 audit(1613992747.407:16): apparmor="DENIED" operation="mknod" profile="/usr/sbin/haveged" name="/run/haveged.pid" pid=2516 comm="haveged" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
groucho@devuan:~$ apt list | grep installed | grep haveged
--- snip ---
haveged/stable,now 1.9.1-7 amd64 [installed]
groucho@devuan:~$ 

I looked it up and found a Debian bug report from late 2018:  https://bugs.debian.org/cgi-bin/bugrepo … bug=911604

Basically, what I understand is happening is that apparmor does not allow haveged to start, failing silently.

From what I can make out of the text in the bug report, it seems that this does not happen if your installation uses systemd, but it does if you use openrc-initsysvinit and probaby the rest, apparently generating first-boot delays.

A workaround to the problem was posted by the bug's OP and confirmed to work in a later post.

What helped was adding the line

  /run/haveged.pid w,

to /etc/apparmor.d/local/usr.sbin.haveged, so you should probably add that line to /etc/apparmor.d/usr.sbin.haveged.

This was apparently fixed in haveged 1.9.1-8 but the latest version in http://deb.devuan.org/merged beowulf/main amd64 is 1.9.1-7.

I'll try the fix and report back later.

Edit: the fix works.

Cheers,

A.

Last edited by Altoid (2021-02-22 13:44:13)

Offline

#2 2021-02-22 13:53:54

dice
Member
Registered: 2020-11-22
Posts: 222  
Website

Re: Heads up: haveged denied starting by apparmor in Beowulf

uninstalling apparmor also solves this issue. But im being obnoxious sorry...


“That which is below is like that which is above, and that which is above is like that which is below, to perform the miracles of one only thing.”

-Hermes Trismegistos

Offline

#3 2021-02-22 14:52:31

Altoid
Member
Registered: 2017-05-07
Posts: 565  

Re: Heads up: haveged denied starting by apparmor in Beowulf

Hello:

dice wrote:

uninstalling apparmor also solves this issue.

Quite so ...
Something I'm considering as I'm not certain it is of any use to me.

ie: everything is apparently unconfined, so what does it actually do? Am I missing some configuration file/s?

groucho@devuan:~$  sudo dmesg | grep apparmor
[   25.423650] audit: type=1400 --- snip --- apparmor="STATUS" operation="profile_load" profile="unconfined" name="libreoffice-senddoc" pid=1409 comm="apparmor_parser"
[   25.448662] audit: type=1400 --- snip --- apparmor="STATUS" operation="profile_load" profile="unconfined" name="libreoffice-oopslash" pid=1412 comm="apparmor_parser"
[   25.474000] audit: type=1400 --- snip --- apparmor="STATUS" operation="profile_load" profile="unconfined" name="nvidia_modprobe" pid=1411 comm="apparmor_parser"
[   25.500604] audit: type=1400 --- snip --- apparmor="STATUS" operation="profile_load" profile="unconfined" name="nvidia_modprobe//kmod" pid=1411 comm="apparmor_parser"
[   25.500605] audit: type=1400 --- snip --- apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/bin/man" pid=1410 comm="apparmor_parser"
[   25.500607] audit: type=1400 --- snip --- apparmor="STATUS" operation="profile_load" profile="unconfined" name="man_filter" pid=1410 comm="apparmor_parser"
[   25.500608] audit: type=1400 --- snip --- apparmor="STATUS" operation="profile_load" profile="unconfined" name="man_groff" pid=1410 comm="apparmor_parser"
[   25.500609] audit: type=1400 --- snip --- apparmor="STATUS" operation="profile_load" profile="unconfined" name="libreoffice-soffice" pid=1414 comm="apparmor_parser"
[   25.500611] audit: type=1400 --- snip --- apparmor="STATUS" operation="profile_load" profile="unconfined" name="libreoffice-soffice//gpg" pid=1414 comm="apparmor_parser"
[   25.500612] audit: type=1400 --- snip --- apparmor="STATUS" operation="profile_load" profile="unconfined" name="libreoffice-xpdfimport" pid=1416 comm="apparmor_parser"
groucho@devuan:~$ 
dice wrote:

... being obnoxious sorry...

Nah!

It's quite alright, been there/done that.

After all, it is monday.

Cheers,

A.

Offline

Board footer