[pkg-apparmor] Bug#799084: apparmor-profiles-extra: apparmor is not allowing ntpd to read its config file @ /etc/openntpd/ntpd.conf

Richard Berg rchrd.berg at gmail.com
Tue Sep 15 17:53:54 UTC 2015 

Package: apparmor-profiles-extra
Version: 1.4
Severity: grave
Tags: patch
Justification: renders package unusable

Dear Maintainer,

*** Reporter, please consider answering these questions, where appropriate ***

   * What led up to the situation?
   * What exactly did you do (or not do) that was effective (or
     ineffective)?
   * What was the outcome of this action?
   * What outcome did you expect instead?

*** End of the template - remove these template lines ***


-- System Information:
Debian Release: 8.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.1.0-pf3+ (SMP w/4 CPU cores; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages apparmor-profiles-extra depends on:
ii  apparmor  2.9.0-3

apparmor-profiles-extra recommends no packages.

apparmor-profiles-extra suggests no packages.

-- Configuration Files:
/etc/apparmor.d/usr.sbin.ntpd changed:
/usr/sbin/ntpd {
  #include <abstractions/base>
  #include <abstractions/nameservice>
  #include <abstractions/user-tmp>
  capability ipc_lock,
  capability net_bind_service,
  capability setgid,
  capability setuid,
  capability sys_chroot,
  capability sys_resource,
  capability sys_time,
  capability sys_nice,
  network inet dgram,
  network inet6 dgram,
  network inet stream,
  network inet6 stream,
  @{PROC}/net/if_inet6 r,
  @{PROC}/*/net/if_inet6 r,
  @{NTPD_DEVICE} rw,
  /{,s}bin/      r,
  /usr/{,s}bin/  r,
  /usr/sbin/ntpd rmix,
  /etc/ntp.conf r,
  /etc/ntp.conf.dhcp r,
  /etc/ntpd.conf r,
  /etc/ntpd.conf.tmp r,
  /var/lib/ntp/ntp.conf.dhcp r,
  /etc/openntpd/ntpd.conf r,
  /etc/ntp.keys r,
  /etc/ntp/** r,
  /etc/ntp.drift rwl,
  /etc/ntp.drift.TEMP rwl,
  /etc/ntp/drift* rwl,
  /var/lib/ntp/*drift rw,
  /var/lib/ntp/*drift.TEMP rw,
  /var/log/ntp w,
  /var/log/ntp.log w,
  /var/log/ntpd w,
  /var/log/ntpstats/clockstats* rwl,
  /var/log/ntpstats/loopstats*  rwl,
  /var/log/ntpstats/peerstats*  rwl,
  /var/log/ntpstats/protostats* rwl,
  /var/log/ntpstats/rawstats*   rwl,
  /var/log/ntpstats/sysstats*   rwl,
  /{,var/}run/ntpd.pid w,
  # samba4 ntp signing socket
  /{,var/}run/samba/ntp_signd/socket rw,
  # For use with clocks that report via shared memory (e.g. gpsd),
  # you may need to give ntpd access to all of shared memory, though
  # this can be considered dangerous. See https://launchpad.net/bugs/722815
  # for details. To enable, add this to local/usr.sbin.ntpd:
  #     capability ipc_owner,
  # Site-specific additions and overrides. See local/README for details.
  #include <local/usr.sbin.ntpd>
}


-- no debconf information
-------------- next part --------------
A non-text attachment was scrubbed...
Name: usr.sbin.ntpd.diff
Type: text/x-diff
Size: 280 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-apparmor-team/attachments/20150915/1f195f1d/attachment.diff>

More information about the pkg-apparmor-team mailing list