Your message dated Fri, 02 Oct 2020 20:21:51 +0000
with message-id <[email protected]>
and subject line Bug#970421: fixed in chrony 4.0~pre4-1
has caused the Debian Bug report #970421,
regarding apparmor limit blocks temperature reading
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
970421: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=970421
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: chrony
Version: 3.4-4

Current apparmor profile for chrony lists
@{sys}/class/hwmon/hwmon[0-9]*/temp[0-9]*_input r,

which is great (and even how I have mine configured -
tempcomp /sys/class/hwmon/hwmon0/temp1_input 1 0 0 0 0) but it doesn't actually 
work. It results in lots of log lines like

Sep 15 23:06:37 gw.as397444.net audit[24397]: AVC apparmor="DENIED" operation="open" profile="/usr/sbin/chronyd" name="/sys/devices/virtual/thermal/thermal_zone0/hwmon0/temp1_input" pid=24397 comm="chronyd" requested_mask="r" denied_mask="r" fsuid=112 ouid=0
Sep 15 23:06:37 gw.as397444.net chronyd[24397]: Could not read temperature from 
/sys/class/hwmon/hwmon0/temp1_input
Sep 15 23:06:37 gw.as397444.net kernel: audit: type=1400 audit(1600225597.313:127): apparmor="DENIED" operation="open" profile="/usr/sbin/chronyd" name="/sys/devices/virtual/thermal/thermal_zone0/hwmon0/temp1_input" pid=24397 comm="chronyd" requested_mask="r" denied_mask="r" fsuid=112 ouid=0

Looks like somehow apparmor is resolving the file to a different path, 
checking, and then failing it.

An extra line like the following fixes it:
@{sys}/devices/virtual/thermal/thermal_zone[0-9]*/hwmon[0-9]*/temp[0-9]*_input 
r,

Matt

--- End Message ---
--- Begin Message ---
Source: chrony
Source-Version: 4.0~pre4-1
Done: Vincent Blut <[email protected]>

We believe that the bug you reported is fixed in the latest version of
chrony, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Vincent Blut <[email protected]> (supplier of updated chrony package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 02 Oct 2020 21:21:08 +0200
Source: chrony
Architecture: source
Version: 4.0~pre4-1
Distribution: experimental
Urgency: medium
Maintainer: Vincent Blut <[email protected]>
Changed-By: Vincent Blut <[email protected]>
Closes: 970421
Changes:
 chrony (4.0~pre4-1) experimental; urgency=medium
 .
   * Import upstream version 4.0-pre4:
     - Please see /usr/share/doc/chrony/NEWS.gz for the release notes.
 .
   * Merge branch 'master' into experimental. (Closes: #970421)
 .
   * debian/chrony.conf:
     - Use NTP sources from /run/chrony-dhcp.
     - Save NTS keys and cookies in /var/lib/chrony/.
 .
   * debian/[email protected]:
     - Update "chrony-helper" path.
 .
   * debian/chrony.dhcp:
     - Save NTP servers from DHCP to /run/chrony-dhcp/$interface.sources.
 .
   * debian/chrony.lintian-overrides:
     - Override executable-in-usr-lib for NetworkManager dispatcher scripts.
     - Update NetworkManager dispatcher script name.
 .
   * debian/chrony.ppp.ip-{down,up}:
     - Update PID file path.
 .
   * debian/chrony.service:
     - Update PID file path.
     - Do not run 'chrony-helper update-daemon' after starting chronyd. Not
     needed anymore.
 .
   * debian/control:
     - Build-depend on libgnutls28-dev to support NTS.
     - Build-depend on gnutls-bin for the test suite.
     - Bump debhelper-compat to 13.
 .
   * debian/copyright:
     - Update copyright years.
 .
   * debian/dirs:
     - Remove var/log/chrony as it will be created automatically if it doesn’t
     exist.
 .
   * debian/if-{post-down,up}:
     - Update PID file path.
 .
   * debian/init:
     - Update PID file path.
     - Drop the unnecessary '--remove pidfile' option from the stop target.
     - Do not run 'chrony-helper update-daemon' after starting chronyd. Not
     needed anymore.
 .
   * debian/install:
     - Move "chrony-helper" to "/usr/libexec/chrony".
 .
   * debian/links:
     - Update source and destination filenames.
 .
   * debian/patches/:
     - Drop patches applied upstream.
     - Add nm-dispatcher-dhcp_Move-server_dir-to-run.patch.
 .
   * debian/postinst:
     - Drop migration code from pre-Stretch.
     - Migrate NTP sources obtained from DHCP to /run/chrony-dhcp on upgrade
     from chrony < 4.0~pre4-1.
     - Remove staled PID file when upgrading from chrony < 4.0~pre4-1.
 .
   * debian/rules:
     - Change the default PID file location from /run to /run/chrony.
     - Drop dh_missing --fail-missing. This is the default in debhelper 13.
     - Enable seccomp support by default on riscv64.
     - Update NetworkManager dispatcher script name from 20-chrony to
     20-chrony-onoffline.
     - Add DHCP NetworkManager dispatcher script to allow chronyd to use
     NTP sources obtained from NM's internal DHCP client.
 .
   * debian/tests/:
     - Add some helper functions. Some tests will be updated thereafter
     to use them.
 .
   * debian/tests/time-sources-from-dhcp-servers:
     - Adapt to the new way of using time sources from DHCP.
     - Improve sed invocation.
 .
   * debian/tests/upstream-simulation-test-suite:
     - Update clknetsim version.
     - Cosmetic changes.
 .
   * debian/tests/upstream-system-tests:
     - No need to stop systemd-timesyncd anymore since it is no more
     co-installable with chrony anymore.
 .
   * debian/usr.sbin.chronyd:
     - Update PID file path.
     - Add dac_override and dac_read_search capabilities to give "root" the
     ability to write the PID file in /run/chrony/.
     - Prefix flag definition by "flags=".
     - Sort the capabilities.
     - Grant CAP_NET_RAW capability to allow an NTP socket to be bound to a
     device using the SO_BINDTODEVICE socket option on kernels before 5.7.
     - Add comments regarding capabilities.
     - Let chronyd create /var/l{ib,og}/chrony.
     - Remove a superfluous rule.
     - Allow reading of NTP sources in /run/chrony-dhcp/.
 .
   * debian/watch:
     - Make use of special strings.
Checksums-Sha1:
 d0c54749e26e665227c44c54a68bdbe64350c881 2183 chrony_4.0~pre4-1.dsc
 07a5eed9dea36c212b07686eea2af1861f7296ce 544660 chrony_4.0~pre4.orig.tar.gz
 8440c1f720bdbe39573a0fcd95ebb3e816aece26 34628 chrony_4.0~pre4-1.debian.tar.xz
Checksums-Sha256:
 daae4e023a6063b543d3ce7aa405d3d462a1c92a2434d29ff4bbc2e904d5ea3d 2183 
chrony_4.0~pre4-1.dsc
 9f94c7387f9f09cb9b28c1f87fde2621aec3fba485e8bbca2a1f39ba3fc8bc36 544660 
chrony_4.0~pre4.orig.tar.gz
 9c2dfb2e88ead0d906e9e36a7896a26cd14ff68104a0ecb8a87c21c36e5ca351 34628 
chrony_4.0~pre4-1.debian.tar.xz
Files:
 674c1d497d0a04c7772fa36c1ff61d08 2183 net optional chrony_4.0~pre4-1.dsc
 a679a0da4fe661997b1faa7125432f2a 544660 net optional 
chrony_4.0~pre4.orig.tar.gz
 964058197e880fdd76c5ae6f9e8713a1 34628 net optional 
chrony_4.0~pre4-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEWLZtSHNr6TsFLeZynFyZ6wW9dQoFAl93gs4ACgkQnFyZ6wW9
dQppFggAtEnkVAMDXX9vwdsWtv4XEsWsYtag5Xs8Y2b7WfS9vyaQCnmqxyJcWIYb
9feLuQHBFjHkar3hgQImsof9KUnIaq0wZA2oNZh8OvEHHI70iifrioXYTL89ak51
aagTAlIb8MAysp+H5KIZQ3iwSUNTh90o8nCFMqQL0HHqCuhhp55JFqG5JRXKcn5k
LrUGlDnpKS5WveI/iTZDqAjMEC/mTKdqL4JySONzIqNIGEYhpQ7KUaabSWnLkMtT
ElWr7rkkzzztDT8oOqb4fIJjYuvr534kCR1HNff/U9B92eaAwN56BqKRGz5xD0zH
OCVihvfYlPVwQ5rIuJlQBQdo73MqxA==
=NPx9
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to