The officially official Devuan Forum!

You are not logged in.

#1 2021-02-22 13:34:52

Altoid
Member
Registered: 2017-05-07
Posts: 1,415  

[SOLVED] Heads up: haveged denied starting by apparmor in Beowulf

Hello:

As I do every so often, I was trawling through my dmesg output to see if everything was running kosher and came across a few lines involving apparmor.

groucho@devuan:~$ uname -a
Linux devuan 4.19.0-14-amd64 #1 SMP Debian 4.19.171-2 (2021-01-30) x86_64 GNU/Linux
groucho@devuan:~$ 
groucho@devuan:~$ apt list | grep installed | grep apparmor
--- snip ---
apparmor/stable,now 2.13.2-10 amd64 [installed,automatic]
libapparmor1/stable,now 2.13.2-10 amd64 [installed]
groucho@devuan:~$ 
groucho@devuan:~$ sudo dmesg | grep apparmor
[   25.573821] audit: type=1400 audit(1613992734.879:2): apparmor="STATUS" operation="profile_load" profile="unconfined" name="libreoffice-senddoc" pid=1413 comm="apparmor_parser"
[   25.602109] audit: type=1400 audit(1613992734.879:3): apparmor="STATUS" operation="profile_load" profile="unconfined" name="libreoffice-oopslash" pid=1416 comm="apparmor_parser"
[   25.630152] audit: type=1400 audit(1613992734.879:4): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/bin/man" pid=1414 comm="apparmor_parser"
[   25.656608] audit: type=1400 audit(1613992734.879:5): apparmor="STATUS" operation="profile_load" profile="unconfined" name="man_filter" pid=1414 comm="apparmor_parser"
[   25.656609] audit: type=1400 audit(1613992734.879:6): apparmor="STATUS" operation="profile_load" profile="unconfined" name="man_groff" pid=1414 comm="apparmor_parser"
[   25.656611] audit: type=1400 audit(1613992734.879:7): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/sbin/haveged" pid=1419 comm="apparmor_parser"
[   25.656612] audit: type=1400 audit(1613992734.879:8): apparmor="STATUS" operation="profile_load" profile="unconfined" name="libreoffice-xpdfimport" pid=1420 comm="apparmor_parser"
[   25.656613] audit: type=1400 audit(1613992734.879:9): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/cups/backend/cups-pdf" pid=1417 comm="apparmor_parser"
[   25.656616] audit: type=1400 audit(1613992734.879:10): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/sbin/cupsd" pid=1417 comm="apparmor_parser"
[   25.857783] audit: type=1400 audit(1613992734.879:11): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/sbin/cupsd//third_party" pid=1417 comm="apparmor_parser"
[   38.103239] audit: type=1400 audit(1613992747.407:16): apparmor="DENIED" operation="mknod" profile="/usr/sbin/haveged" name="/run/haveged.pid" pid=2516 comm="haveged" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
[ 2040.598275] audit: type=1400 audit(1613994749.903:17): apparmor="ALLOWED" operation="file_mmap" profile="libreoffice-soffice" name="/tmp/.glRDlerP" pid=8590 comm="soffice.bin" requested_mask="m" denied_mask="m" fsuid=1000 ouid=1000
[ 2040.905923] audit: type=1400 audit(1613994750.211:18): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/home/groucho/.icons/default/index.theme" pid=8589 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
[ 2040.906026] audit: type=1400 audit(1613994750.211:19): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/home/groucho/.icons/default/index.theme" pid=8589 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
[ 2040.906121] audit: type=1400 audit(1613994750.211:20): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/home/groucho/.icons/default/index.theme" pid=8589 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
[ 2040.906212] audit: type=1400 audit(1613994750.211:21): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/home/groucho/.icons/default/index.theme" pid=8589 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
groucho@devuan:~$ 

The one that caught my eye was this one:

[   38.103239] audit: type=1400 audit(1613992747.407:16): apparmor="DENIED" operation="mknod" profile="/usr/sbin/haveged" name="/run/haveged.pid" pid=2516 comm="haveged" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
groucho@devuan:~$ apt list | grep installed | grep haveged
--- snip ---
haveged/stable,now 1.9.1-7 amd64 [installed]
groucho@devuan:~$ 

I looked it up and found a Debian bug report from late 2018:  https://bugs.debian.org/cgi-bin/bugrepo … bug=911604

Basically, what I understand is happening is that apparmor does not allow haveged to start, failing silently.

From what I can make out of the text in the bug report, it seems that this does not happen if your installation uses systemd, but it does if you use openrc-initsysvinit and probaby the rest, apparently generating first-boot delays.

A workaround to the problem was posted by the bug's OP and confirmed to work in a later post.

What helped was adding the line

  /run/haveged.pid w,

to /etc/apparmor.d/local/usr.sbin.haveged, so you should probably add that line to /etc/apparmor.d/usr.sbin.haveged.

This was apparently fixed in haveged 1.9.1-8 but the latest version in http://deb.devuan.org/merged beowulf/main amd64 is 1.9.1-7.

I'll try the fix and report back later.

Edit: the fix works.

Cheers,

A.

Last edited by Altoid (2021-02-22 13:44:13)

Offline

#2 2021-02-22 13:53:54

dice
Member
Registered: 2020-11-22
Posts: 559  
Website

Re: [SOLVED] Heads up: haveged denied starting by apparmor in Beowulf

uninstalling apparmor also solves this issue. But im being obnoxious sorry...

Offline

#3 2021-02-22 14:52:31

Altoid
Member
Registered: 2017-05-07
Posts: 1,415  

Re: [SOLVED] Heads up: haveged denied starting by apparmor in Beowulf

Hello:

dice wrote:

uninstalling apparmor also solves this issue.

Quite so ...
Something I'm considering as I'm not certain it is of any use to me.

ie: everything is apparently unconfined, so what does it actually do? Am I missing some configuration file/s?

groucho@devuan:~$  sudo dmesg | grep apparmor
[   25.423650] audit: type=1400 --- snip --- apparmor="STATUS" operation="profile_load" profile="unconfined" name="libreoffice-senddoc" pid=1409 comm="apparmor_parser"
[   25.448662] audit: type=1400 --- snip --- apparmor="STATUS" operation="profile_load" profile="unconfined" name="libreoffice-oopslash" pid=1412 comm="apparmor_parser"
[   25.474000] audit: type=1400 --- snip --- apparmor="STATUS" operation="profile_load" profile="unconfined" name="nvidia_modprobe" pid=1411 comm="apparmor_parser"
[   25.500604] audit: type=1400 --- snip --- apparmor="STATUS" operation="profile_load" profile="unconfined" name="nvidia_modprobe//kmod" pid=1411 comm="apparmor_parser"
[   25.500605] audit: type=1400 --- snip --- apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/bin/man" pid=1410 comm="apparmor_parser"
[   25.500607] audit: type=1400 --- snip --- apparmor="STATUS" operation="profile_load" profile="unconfined" name="man_filter" pid=1410 comm="apparmor_parser"
[   25.500608] audit: type=1400 --- snip --- apparmor="STATUS" operation="profile_load" profile="unconfined" name="man_groff" pid=1410 comm="apparmor_parser"
[   25.500609] audit: type=1400 --- snip --- apparmor="STATUS" operation="profile_load" profile="unconfined" name="libreoffice-soffice" pid=1414 comm="apparmor_parser"
[   25.500611] audit: type=1400 --- snip --- apparmor="STATUS" operation="profile_load" profile="unconfined" name="libreoffice-soffice//gpg" pid=1414 comm="apparmor_parser"
[   25.500612] audit: type=1400 --- snip --- apparmor="STATUS" operation="profile_load" profile="unconfined" name="libreoffice-xpdfimport" pid=1416 comm="apparmor_parser"
groucho@devuan:~$ 
dice wrote:

... being obnoxious sorry...

Nah!

It's quite alright, been there/done that.

After all, it is monday.

Cheers,

A.

Offline

#4 2021-04-10 21:04:04

Altoid
Member
Registered: 2017-05-07
Posts: 1,415  

Re: [SOLVED] Heads up: haveged denied starting by apparmor in Beowulf

Hello:

dice wrote:

uninstalling apparmor ...

Indeed.
Got rid of it.
Saw no use for it and people who know more than i do about all this have uninstalled it.

https://dev1galaxy.org/viewtopic.php?pid=28640#p28640

And that was the end of it.

Cheers,

A.

Offline

#5 2021-04-11 09:22:11

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 3,125  
Website

Re: [SOLVED] Heads up: haveged denied starting by apparmor in Beowulf

Altoid wrote:

everything is apparently unconfined, so what does it actually do? Am I missing some configuration file/s?

The default configuration supplies a mandatory access control framework to confine some but not all programs. This confinement prevents compromised software from altering your system even if it has root privileges. It is actually very useful, which is why it is enabled by default. There are extra profiles available if you want to extend the protection and you can also write your own profiles to specify the exact level of confinement.

See also https://wiki.debian.org/AppArmor/HowToUse & https://debian-handbook.info/browse/sta … armor.html


Brianna Ghey — Rest In Power

Offline

Board footer