Your message dated Thu, 03 Apr 2025 06:49:39 +0000
with message-id <[email protected]>
and subject line Bug#1084841: fixed in chrony 4.6.1-2
has caused the Debian Bug report #1084841,
regarding Apparmor blocking temperature reading from chrony (still or again?)
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1084841: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1084841
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: chrony
Version: 4.3-2+deb12u1
Similar to old #970421, apparmor blocks chrony from reading
/sys/class/hwmon/hwmon0/temp1_input, reporting:
audit[2374]: AVC apparmor="DENIED" operation="open"
profile="/usr/sbin/chronyd"
name="/sys/devices/pci0000:00/0000:00:18.3/hwmon/hwmon1/temp1_input" pid=2374
comm="chronyd" requested_mask="r" denied_mask="r" fsuid=102 ouid=0
Apparently apparmor, or the rule as it exists
@{sys}/class/hwmon/hwmon[0-9]*/temp[0-9]*_input r
fails to cope with the common issue in /sys, so many things are
symlinks! In this case it's /sys/class/hwmon/hwmon0 that is a symlink
into /sys/devices/pci...
WORKAROUND: just add a symlink in /etc/apparmor.d/disable to the
chronyd profile and it all works. Truthfully, I have no idea if this
CAN be fixed using apparemor's capabilities - I'm filing this mostly to
get the workaround into the record.
Thanks for the chrony package, but apparmor is like spam -
whack-a-mole, standing on its head.
--
But... they make things up. And that’s not a current bug
that can be easily fixed in the future: it’s fundamental
to how a language model works. -- Simon Willison
--- End Message ---
--- Begin Message ---
Source: chrony
Source-Version: 4.6.1-2
Done: Vincent Blut <[email protected]>
We believe that the bug you reported is fixed in the latest version of
chrony, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Vincent Blut <[email protected]> (supplier of updated chrony package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 02 Apr 2025 21:33:06 +0200
Source: chrony
Architecture: source
Version: 4.6.1-2
Distribution: unstable
Urgency: medium
Maintainer: Vincent Blut <[email protected]>
Changed-By: Vincent Blut <[email protected]>
Closes: 1073865 1084841
Changes:
chrony (4.6.1-2) unstable; urgency=medium
.
[ Vincent Blut ]
* debian/chrony.conf:
- Move the confdir directive at the end of the configuration file. This
should prevent directives defined in /etc/chrony/conf.d/ from being
overridden by corresponding directives in chrony.conf. (Closes: #1073865)
.
* debian/chrony.service:
- Drop 'After=network.target'. First and foremost, the network.target unit
doesn't guarantee that any network interfaces are configured or
operational. Furthermore, chronyd is perfectly able to operate without
network or DNS functionality notably when used with a hardware reference
clock as a time source.
- Do not pull time-sync.target nor order chrony.service before it. Services
pulling and being ordered before time-sync.target must ensure that the
system clock has been completely synchronized and thus typically guarantee
an accurate clock. This can't be assumed right after chrony.service has
finished starting.
.
* debian/control:
- Support seccomp facility on loong64.
- Bump Standards-Version to 4.7.2 (no changes required).
.
* debian/copyright:
- Update copyright year for debian/*.
.
* debian/rules:
- Revert "d/rules: Disable seccomp on loong64".
.
* debian/usr.sbin.chronyd:
- Relax rule regarding temperature sensors. (Closes: #1084841)
.
[ Joachim Kross ]
* debian/{control,postinst,chrony.conf}:
- Minor textual updates.
Checksums-Sha1:
83b6d1085735190b99bc947cfc18faf60c3c737d 2362 chrony_4.6.1-2.dsc
1e88e83dc0db10969fd28b156d995272818ae8c0 42020 chrony_4.6.1-2.debian.tar.xz
Checksums-Sha256:
24bd555254a0624fd5339c4ee7c535519d2e287bb695fa57dc73c7029bc1cf30 2362
chrony_4.6.1-2.dsc
233e1e0cde62bad5fcc937858763499113b9c1ef9404b572a0ad6e1828600be6 42020
chrony_4.6.1-2.debian.tar.xz
Files:
d0ed9097b6348a1a9cd3a94d06a05cd3 2362 net optional chrony_4.6.1-2.dsc
c6059a4696b427625c2654f51ddc321e 42020 net optional
chrony_4.6.1-2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCgAdFiEEWLZtSHNr6TsFLeZynFyZ6wW9dQoFAmfuKP0ACgkQnFyZ6wW9
dQr9CQgAlHFNZvpCYwzS4hUr77nP2fEtaWdK9Vfer4hbqTN9/qU5f/M2I4m7nFy/
Ywu52yqhNUQICi5+4DjFJBBIh3erLjoLpFZpFfVAw7s1hLSM0xNniQuBh9ErTl+G
A10MebaiVNNpPJKvREyQPFKoHrneh36akZUFMdcM8Nf35Jb2StnO921N1dt3VdGM
bodmwEZ8lh5kIY7BpKZVomz4reArIiX8w5OBpZX61g95ashWwiC7yhTHrpF456gj
PRQxZ322ZHY04nCarn0Ct55X4HaIFQNV9ubsX8Dila+4vt7WlwhcdWvStitAls+B
9Xh7YSOwq+9dFdg/Eht+nyMVmZsXjw==
=mISa
-----END PGP SIGNATURE-----
pgp28rRXk2QDd.pgp
Description: PGP signature
--- End Message ---
