[SOLVED] Heads up: haveged denied starting by apparmor in Beowulf

Altoid · 2021-02-22 13:34:52

Hello:

As I do every so often, I was trawling through my dmesg output to see if everything was running kosher and came across a few lines involving apparmor.

groucho@devuan:~$ uname -a
Linux devuan 4.19.0-14-amd64 #1 SMP Debian 4.19.171-2 (2021-01-30) x86_64 GNU/Linux
groucho@devuan:~$

groucho@devuan:~$ apt list | grep installed | grep apparmor
--- snip ---
apparmor/stable,now 2.13.2-10 amd64 [installed,automatic]
libapparmor1/stable,now 2.13.2-10 amd64 [installed]
groucho@devuan:~$

groucho@devuan:~$ sudo dmesg | grep apparmor
[   25.573821] audit: type=1400 audit(1613992734.879:2): apparmor="STATUS" operation="profile_load" profile="unconfined" name="libreoffice-senddoc" pid=1413 comm="apparmor_parser"
[   25.602109] audit: type=1400 audit(1613992734.879:3): apparmor="STATUS" operation="profile_load" profile="unconfined" name="libreoffice-oopslash" pid=1416 comm="apparmor_parser"
[   25.630152] audit: type=1400 audit(1613992734.879:4): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/bin/man" pid=1414 comm="apparmor_parser"
[   25.656608] audit: type=1400 audit(1613992734.879:5): apparmor="STATUS" operation="profile_load" profile="unconfined" name="man_filter" pid=1414 comm="apparmor_parser"
[   25.656609] audit: type=1400 audit(1613992734.879:6): apparmor="STATUS" operation="profile_load" profile="unconfined" name="man_groff" pid=1414 comm="apparmor_parser"
[   25.656611] audit: type=1400 audit(1613992734.879:7): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/sbin/haveged" pid=1419 comm="apparmor_parser"
[   25.656612] audit: type=1400 audit(1613992734.879:8): apparmor="STATUS" operation="profile_load" profile="unconfined" name="libreoffice-xpdfimport" pid=1420 comm="apparmor_parser"
[   25.656613] audit: type=1400 audit(1613992734.879:9): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/cups/backend/cups-pdf" pid=1417 comm="apparmor_parser"
[   25.656616] audit: type=1400 audit(1613992734.879:10): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/sbin/cupsd" pid=1417 comm="apparmor_parser"
[   25.857783] audit: type=1400 audit(1613992734.879:11): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/sbin/cupsd//third_party" pid=1417 comm="apparmor_parser"
[   38.103239] audit: type=1400 audit(1613992747.407:16): apparmor="DENIED" operation="mknod" profile="/usr/sbin/haveged" name="/run/haveged.pid" pid=2516 comm="haveged" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
[ 2040.598275] audit: type=1400 audit(1613994749.903:17): apparmor="ALLOWED" operation="file_mmap" profile="libreoffice-soffice" name="/tmp/.glRDlerP" pid=8590 comm="soffice.bin" requested_mask="m" denied_mask="m" fsuid=1000 ouid=1000
[ 2040.905923] audit: type=1400 audit(1613994750.211:18): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/home/groucho/.icons/default/index.theme" pid=8589 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
[ 2040.906026] audit: type=1400 audit(1613994750.211:19): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/home/groucho/.icons/default/index.theme" pid=8589 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
[ 2040.906121] audit: type=1400 audit(1613994750.211:20): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/home/groucho/.icons/default/index.theme" pid=8589 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
[ 2040.906212] audit: type=1400 audit(1613994750.211:21): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/home/groucho/.icons/default/index.theme" pid=8589 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
groucho@devuan:~$

The one that caught my eye was this one:

[   38.103239] audit: type=1400 audit(1613992747.407:16): apparmor="DENIED" operation="mknod" profile="/usr/sbin/haveged" name="/run/haveged.pid" pid=2516 comm="haveged" requested_mask="c" denied_mask="c" fsuid=0 ouid=0

groucho@devuan:~$ apt list | grep installed | grep haveged
--- snip ---
haveged/stable,now 1.9.1-7 amd64 [installed]
groucho@devuan:~$

I looked it up and found a Debian bug report from late 2018: https://bugs.debian.org/cgi-bin/bugrepo … bug=911604

Basically, what I understand is happening is that apparmor does not allow haveged to start, failing silently.

From what I can make out of the text in the bug report, it seems that this does not happen if your installation uses systemd, but it does if you use openrc-init, sysvinit and probaby the rest, apparently generating first-boot delays.

A workaround to the problem was posted by the bug's OP and confirmed to work in a later post.

What helped was adding the line
/run/haveged.pid w,
to /etc/apparmor.d/local/usr.sbin.haveged, so you should probably add that line to /etc/apparmor.d/usr.sbin.haveged.

This was apparently fixed in haveged 1.9.1-8 but the latest version in http://deb.devuan.org/merged beowulf/main amd64 is 1.9.1-7.

I'll try the fix and report back later.

Edit: the fix works.

Cheers,

A.

Last edited by Altoid (2021-02-22 13:44:13)

dice · 2021-02-22 13:53:54

uninstalling apparmor also solves this issue. But im being obnoxious sorry...

Altoid · 2021-02-22 14:52:31

Hello:

dice wrote:

uninstalling apparmor also solves this issue.

Quite so ...
Something I'm considering as I'm not certain it is of any use to me.

ie: everything is apparently unconfined, so what does it actually do? Am I missing some configuration file/s?

groucho@devuan:~$  sudo dmesg | grep apparmor
[   25.423650] audit: type=1400 --- snip --- apparmor="STATUS" operation="profile_load" profile="unconfined" name="libreoffice-senddoc" pid=1409 comm="apparmor_parser"
[   25.448662] audit: type=1400 --- snip --- apparmor="STATUS" operation="profile_load" profile="unconfined" name="libreoffice-oopslash" pid=1412 comm="apparmor_parser"
[   25.474000] audit: type=1400 --- snip --- apparmor="STATUS" operation="profile_load" profile="unconfined" name="nvidia_modprobe" pid=1411 comm="apparmor_parser"
[   25.500604] audit: type=1400 --- snip --- apparmor="STATUS" operation="profile_load" profile="unconfined" name="nvidia_modprobe//kmod" pid=1411 comm="apparmor_parser"
[   25.500605] audit: type=1400 --- snip --- apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/bin/man" pid=1410 comm="apparmor_parser"
[   25.500607] audit: type=1400 --- snip --- apparmor="STATUS" operation="profile_load" profile="unconfined" name="man_filter" pid=1410 comm="apparmor_parser"
[   25.500608] audit: type=1400 --- snip --- apparmor="STATUS" operation="profile_load" profile="unconfined" name="man_groff" pid=1410 comm="apparmor_parser"
[   25.500609] audit: type=1400 --- snip --- apparmor="STATUS" operation="profile_load" profile="unconfined" name="libreoffice-soffice" pid=1414 comm="apparmor_parser"
[   25.500611] audit: type=1400 --- snip --- apparmor="STATUS" operation="profile_load" profile="unconfined" name="libreoffice-soffice//gpg" pid=1414 comm="apparmor_parser"
[   25.500612] audit: type=1400 --- snip --- apparmor="STATUS" operation="profile_load" profile="unconfined" name="libreoffice-xpdfimport" pid=1416 comm="apparmor_parser"
groucho@devuan:~$

dice wrote:

... being obnoxious sorry...

Nah!

It's quite alright, been there/done that.

After all, it is monday.

Cheers,

A.

Altoid · 2021-04-10 21:04:04

Hello:

dice wrote:

uninstalling apparmor ...

Indeed.
Got rid of it.
Saw no use for it and people who know more than i do about all this have uninstalled it.

https://dev1galaxy.org/viewtopic.php?pid=28640#p28640

And that was the end of it.

Cheers,

A.

Head_on_a_Stick · 2021-04-11 09:22:11

Altoid wrote:

everything is apparently unconfined, so what does it actually do? Am I missing some configuration file/s?

The default configuration supplies a mandatory access control framework to confine some but not all programs. This confinement prevents compromised software from altering your system even if it has root privileges. It is actually very useful, which is why it is enabled by default. There are extra profiles available if you want to extend the protection and you can also write your own profiles to specify the exact level of confinement.

See also https://wiki.debian.org/AppArmor/HowToUse & https://debian-handbook.info/browse/sta … armor.html

The officially official Devuan Forum!

#1 2021-02-22 13:34:52

[SOLVED] Heads up: haveged denied starting by apparmor in Beowulf

#2 2021-02-22 13:53:54

Re: [SOLVED] Heads up: haveged denied starting by apparmor in Beowulf

#3 2021-02-22 14:52:31

Re: [SOLVED] Heads up: haveged denied starting by apparmor in Beowulf

#4 2021-04-10 21:04:04

Re: [SOLVED] Heads up: haveged denied starting by apparmor in Beowulf

#5 2021-04-11 09:22:11

Re: [SOLVED] Heads up: haveged denied starting by apparmor in Beowulf

Board footer