Accepting request 928677 from security

- revert last change, e.g. for VMs where we are not being fed entropy
  from the host or similar setups.
--------------------------------------------------------------------

OBS-URL: https://build.opensuse.org/request/show/928677
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/haveged?expand=0&rev=59

90-haveged.rules

@@ -0,0 +1,2 @@
+ACTION=="add", KERNEL=="random" , SUBSYSTEM=="mem", TAG+="systemd", ENV{SYSTEMD_WANTS}+="haveged.service"
+

haveged-dracut.module

@@ -0,0 +1,25 @@
+#!/bin/bash
+# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
+# ex: ts=8 sw=4 sts=4 et filetype=sh
+
+# called by dracut
+depends() {
+    return 0
+}
+
+installkernel() {
+    return 0
+}
+
+# called by dracut
+install() {
+    inst_multiple -o \
+        /usr/sbin/haveged \
+        $systemdsystemunitdir/haveged.service \
+        $systemdsystemunitdir/haveged-switch-root.service
+    mkdir -p "$initdir/$systemdsystemunitdir/sysinit.target.wants"
+    mkdir -p "$initdir/$systemdsystemunitdir/initrd-switch-root.target.wants"
+    mkdir -p "$initdir/$systemdsystemunitdir/systemd-journald.service.wants"
+    ln_r "$systemdsystemunitdir/haveged.service" "$systemdsystemunitdir/systemd-journald.service.wants/haveged.service"
+    ln_r "$systemdsystemunitdir/haveged-switch-root.service" "$systemdsystemunitdir/initrd-switch-root.target.wants/haveged-switch-root.service"
+}

haveged-switch-root.service

@@ -0,0 +1,17 @@
+[Unit]
+Description=Tell haveged about new root
+DefaultDependencies=no
+ConditionPathExists=/etc/initrd-release
+Before=initrd-switch-root.service
+JoinsNamespaceOf=haveged.service
+
+[Service]
+ExecStart=-/usr/sbin/haveged -c root=/sysroot
+PrivateNetwork=yes
+Type=oneshot
+StandardInput=null
+StandardOutput=null
+StandardError=null
+
+[Install]
+WantedBy=initrd-switch-root.target

haveged.changes

@@ -1,4 +1,10 @@
 -------------------------------------------------------------------
+Tue Nov  2 08:18:49 UTC 2021 - Marcus Meissner <meissner@suse.com>
+
+- revert last change, e.g. for VMs where we are not being fed entropy
+  from the host or similar setups.
+
+--------------------------------------------------------------------
 Mon Oct 11 13:26:52 UTC 2021 - Cristian Rodríguez <crrodriguez@opensuse.org>
 
 - Improvements on the linux kernel random subsystem have made 

haveged.service

@@ -0,0 +1,19 @@
+[Unit]
+Description=Entropy Daemon based on the HAVEGE algorithm
+Documentation=man:haveged(8) http://www.issihosts.com/haveged/
+DefaultDependencies=no
+ConditionVirtualization=!container
+#Conflicts=shutdown.target
+# Don't wait for systemd-random-seed.service, leads to deadlock with fips=1
+#After=systemd-random-seed.service
+Before=sysinit.target shutdown.target systemd-journald.service
+
+[Service]
+ExecStart=/usr/sbin/haveged -w 1024 -v 0 -F
+CapabilityBoundingSet=CAP_SYS_ADMIN CAP_SYS_CHROOT
+PrivateNetwork=yes
+Restart=always
+SuccessExitStatus=137 143
+
+[Install]
+WantedBy=sysinit.target

haveged.spec

@@ -25,6 +25,10 @@ License:        GPL-3.0-only
 Group:          System/Daemons
 URL:            https://github.com/jirka-h/haveged
 Source0:        https://github.com/jirka-h/haveged/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
+Source2:        %{name}.service
+Source3:        90-haveged.rules
+Source4:        haveged-dracut.module
+Source5:        %{name}-switch-root.service
 Patch0:         ppc64le.patch
 # PATCH-FIX-UPSTREAM: don't write to syslog at startup to avoid deadlocks psimons@suse.com bnc#959237
 Patch2:         haveged-no-syslog.patch
@@ -35,7 +39,14 @@ BuildRequires:  pkgconfig
 BuildRequires:  pkgconfig(systemd)
 BuildRequires:  pkgconfig(udev)
 Requires(post): coreutils
-Requires(postun):coreutils
+Requires(postun): coreutils
+Enhances:       apache2
+Enhances:       gpg2
+Enhances:       openssl
+Enhances:       openvpn
+Enhances:       php5
+Enhances:       smtp_daemon
+Enhances:       systemd
 %{?systemd_requires}
 
 %description
@@ -76,6 +87,7 @@ export LDFLAGS="-Wl,-z,relro,-z,now -pie"
     --disable-static \
     --disable-enttest \
     --enable-nistest \
+    --enable-daemon \
     --enable-clock_gettime
 make %{?_smp_mflags}
 
@@ -91,15 +103,54 @@ make %{?_smp_mflags} check
 
 %install
 %make_install
+install -Dpm 0644 %{SOURCE2} \
+  %{buildroot}%{_unitdir}/%{name}.service
+install -Dpm 0644 %{SOURCE3} \
+  %{buildroot}%{_udevrulesdir}/90-%{name}.rules
+install -Dpm 0644 %{SOURCE5} \
+  %{buildroot}%{_unitdir}/%{name}-switch-root.service
+install -Dpm 0755 %{SOURCE4} \
+  %{buildroot}%{_prefix}/lib/dracut/modules.d/98%{name}/module-setup.sh
 rm -f %{buildroot}%{_libdir}/libhavege.*a
+ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rc%{name}
+
+%post
+%{?udev_rules_update:%udev_rules_update}
+%service_add_post %{name}.service
+%service_add_post %{name}-switch-root.service
+%{?regenerate_initrd_post}
+
+%postun
+%service_del_postun %{name}.service
+%service_del_postun %{name}-switch-root.service
+%{?regenerate_initrd_post}
+
+%posttrans
+%{?regenerate_initrd_posttrans}
+
+%pre
+%service_add_pre %{name}.service
+%service_add_pre %{name}-switch-root.service
+
+%preun
+%service_del_preun %{name}.service
+%service_del_preun %{name}-switch-root.service
 
 %post -n libhavege2 -p /sbin/ldconfig
 %postun -n libhavege2 -p /sbin/ldconfig
 
 %files
 %license COPYING
+%{_sbindir}/rc%{name}
 %{_sbindir}/%{name}
 %{_mandir}/man8/%{name}.8%{?ext_man}
+%{_unitdir}/%{name}.service
+%{_unitdir}/%{name}-switch-root.service
+%{_udevrulesdir}/90-%{name}.rules
+%dir %{_prefix}/lib/dracut
+%dir %{_prefix}/lib/dracut/modules.d
+%dir %{_prefix}/lib/dracut/modules.d/98%{name}
+%{_prefix}/lib/dracut/modules.d/98%{name}/module-setup.sh
 
 %files devel
 %license COPYING