- Add haveged-no-syslog.patch to remedy the potential for deadlocks

when booting the system: journald reads from /dev/random, which
  receives entropy from haveged, which in turn logs to syslog
  before providing any. Ideally, haveged would provide a proper
  command-line flag to disable use of syslog. Will work with
  upstream to resolve this in a cleaner way. (bnc#959237)
  
- Remove "After=systemd-random-seed.service" from systemd service
  file to avoid the potential for deadlocks when booting the
  system: systemd-random-seed needs /var to read its previous
  state; mounting /var needs journald; journald needs entropy; and
  entropy is provided by haveged, which needs systemd-random-seed.
  (bnc#959237)

OBS-URL: https://build.opensuse.org/package/show/security/haveged?expand=0&rev=109

haveged-no-syslog.patch

@@ -0,0 +1,39 @@
+Index: haveged-1.9.1/src/haveged.c
+===================================================================
+--- haveged-1.9.1.orig/src/haveged.c
++++ haveged-1.9.1/src/haveged.c
+@@ -361,8 +361,10 @@ static void daemonize(     /* RETURN: no
+    void)                   /* IN: nothing       */
+ {
+    FILE *fh;
++#if 0
+    openlog(params->daemon, LOG_CONS, LOG_DAEMON);
+    syslog(LOG_NOTICE, "%s starting up", params->daemon);
++#endif
+    if (daemon(0, 0) == -1)
+       error_exit("Cannot fork into the background");
+    fh = fopen(params->pid_file, "w");
+@@ -499,7 +501,9 @@ static void error_exit(    /* RETURN: no
+ #ifndef NO_DAEMON
+    if (params->detached!=0) {
+       unlink(params->pid_file);
++#if 0
+       syslog(LOG_INFO, "%s: %s", params->daemon, buffer);
++#endif
+       }
+    else
+ #endif
+@@ -609,11 +613,13 @@ static void print_msg(     /* RETURN: no
+    va_list ap;
+    va_start(ap, format);
+    snprintf(buffer, sizeof(buffer), "%s: %s", params->daemon, format);
++#if 0
+ #ifndef NO_DAEMON
+    if (params->detached != 0)
+       vsyslog(LOG_INFO, buffer, ap);
+    else
+ #endif
++#endif
+    vfprintf(stderr, buffer, ap);
+    va_end(ap);
+ }

haveged.changes

@@ -1,3 +1,20 @@
+-------------------------------------------------------------------
+Fri Jun 17 14:15:05 UTC 2016 - psimons@suse.com
+
+- Add haveged-no-syslog.patch to remedy the potential for deadlocks
+  when booting the system: journald reads from /dev/random, which
+  receives entropy from haveged, which in turn logs to syslog
+  before providing any. Ideally, haveged would provide a proper
+  command-line flag to disable use of syslog. Will work with
+  upstream to resolve this in a cleaner way. (bnc#959237)
+
+- Remove "After=systemd-random-seed.service" from systemd service
+  file to avoid the potential for deadlocks when booting the
+  system: systemd-random-seed needs /var to read its previous
+  state; mounting /var needs journald; journald needs entropy; and
+  entropy is provided by haveged, which needs systemd-random-seed.
+  (bnc#959237)
+
 -------------------------------------------------------------------
 Thu Dec 10 16:20:27 CET 2015 - tiwai@suse.de
 

haveged.service

@@ -4,7 +4,8 @@ Documentation=man:haveged(8) http://www.issihosts.com/haveged/
 DefaultDependencies=no
 ConditionVirtualization=!container
 #Conflicts=shutdown.target
-After=systemd-random-seed.service
+# Don't wait for systemd-random-seed.service, leads to deadlock with fips=1
+#After=systemd-random-seed.service
 Before=sysinit.target shutdown.target systemd-journald.service
 
 [Service]

haveged.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package haveged
 #
-# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -32,6 +32,8 @@ Patch0:         ppc64le.patch
 Patch1:         haveged-conditional-enttest.patch
 # PATCH-FIX-OPENSUSE: ignore clock-gettime enablement on generic architectures
 Patch2:         fix-enforced-clock-gettime.patch
+# PATCH-FIX-UPSTREAM: don't write to syslog at startup to avoid deadlocks psimons@suse.com bnc#959237
+Patch3:         haveged-no-syslog.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  libtool
@@ -81,6 +83,7 @@ algorithm and supporting features.
 %patch0 -p1
 %patch1 -p1
 %patch2
+%patch3 -p1
 
 %build
 autoreconf -fvi