Control: tags -1 patch confirmed pending

Hi Christian,

On Fri, Feb 23, 2018 at 12:15:54PM +0100, Christian Ehrhardt wrote:
Package: chrony
Version: 3.2-4
Severity: normal

Hi,
I happened to find in [1] that we need to add w to some apparmor rules
for local PPS devices.
TL;DR I enabled all devices as they are in man chrony.conf and got Denies like:

[ 5756.216096] audit: type=1400 audit(1519379582.153:21):
apparmor="DENIED" operation="open" profile="/usr/sbin/chronyd"
name="/dev/rtc0" pid=4216 comm="chronyd" requested_mask="w"
denied_mask="w" fsuid=0 ouid=0

I'd suggest the following for now:

ACK. The same logic is used in chronyd's SELinux policy, for example:

dev_rw_realtime_clock(chronyd_t)

optional_policy(`
   ptp4l_rw_shm(chronyd_t)
   ')

---

--- chrony-3.2/debian/changelog 2018-02-20 18:27:10.000000000 +0100
+++ chrony-3.2/debian/changelog 2018-02-23 12:14:57.000000000 +0100
@@ -1,3 +1,10 @@
+chrony (3.2-5) unstable; urgency=medium
+
+  * debian/usr.sbin.chronyd: allow write access to rtc, pps and ptp devices
+    as that is how chrony initializes them (LP: #1751241)
+
+ -- Christian Ehrhardt <christian.ehrha...@canonical.com>  Fri, 23
Feb 2018 12:13:57 +0100
+
chrony (3.2-4) unstable; urgency=medium

 * debian/changelog:
diff -Nru chrony-3.2/debian/usr.sbin.chronyd chrony-3.2/debian/usr.sbin.chronyd
--- chrony-3.2/debian/usr.sbin.chronyd  2018-02-08 19:20:27.000000000 +0100
+++ chrony-3.2/debian/usr.sbin.chronyd  2018-02-23 12:13:48.000000000 +0100
@@ -32,11 +32,11 @@

 # rtc
 /etc/adjtime r,
-  /dev/rtc{,[0-9]*} r,
+  /dev/rtc{,[0-9]*} rw,

 # gps devices
-  /dev/pps[0-9]* r,
-  /dev/ptp[0-9]* r,
+  /dev/pps[0-9]* rw,
+  /dev/ptp[0-9]* rw,

 # For use with clocks that report via shared memory (e.g. gpsd),
 # you may need to give ntpd access to all of shared memory, though

---

[1]: https://bugs.launchpad.net/ubuntu/+source/chrony/+bug/1751241

--
Christian Ehrhardt
Software Engineer, Ubuntu Server
Canonical Ltd

Cheers,
Vincent

Attachment: signature.asc
Description: PGP signature

Reply via email to