Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi, [ Reason ] The AppArmor profile for chronyd does not include a rule to read the chronyd configuration file generated by the timemaster program. [ Impact ] Without the proposed fix, users must override the Apparmor profile (or at worse set the profile to complain mode) to flowlessly use chronyd with timemaster. [ Tests ] I checked that AppArmor no longer sends 'denied' log entries as seen in #1004745 when using chronyd with timemaster. [ Risks ] Low. An equivalent fix sits in testing/unstable for over a month now without any regression so far. [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Adding a rule in the AppArmor profile to allow chronyd to read the configuration file /run/timemaster/chrony.conf Cheers, Vincent -----BEGIN PGP SIGNATURE----- iHUEARYKAB0WIQSRJQjHKbAUfuoc+DAQn1qAt/bgAQUCYjEhAwAKCRAQn1qAt/bg ARIMAQDhOqCNkBnilT1AOQfJKVilWa909Qm/lfAPopWsSnBmHgEAoUTteuwrv0HM Q/mTQmEg0kLhzYZ3BoujiNnP5iGHqgk= =bn+y -----END PGP SIGNATURE-----
diff -Nru chrony-3.4/debian/changelog chrony-3.4/debian/changelog --- chrony-3.4/debian/changelog 2020-09-16 13:44:04.000000000 +0200 +++ chrony-3.4/debian/changelog 2022-03-15 13:45:14.000000000 +0100 @@ -1,3 +1,11 @@ +chrony (3.4-4+deb10u2) buster; urgency=medium + + * debian/usr.sbin.chronyd: + - Allow reading the chronyd configuration file that timemaster(8) + generates. Thanks to Michael Lestinsky for the report! (Closes: #1004745) + + -- Vincent Blut <vincent.deb...@free.fr> Tue, 15 Mar 2022 13:45:14 +0100 + chrony (3.4-4+deb10u1) buster; urgency=medium * debian/patches/: diff -Nru chrony-3.4/debian/usr.sbin.chronyd chrony-3.4/debian/usr.sbin.chronyd --- chrony-3.4/debian/usr.sbin.chronyd 2020-09-16 13:44:04.000000000 +0200 +++ chrony-3.4/debian/usr.sbin.chronyd 2022-03-15 13:45:14.000000000 +0100 @@ -50,6 +50,9 @@ /dev/pps[0-9]* rw, /dev/ptp[0-9]* rw, + # Allow reading the chronyd configuration file that timemaster(8) generates + /{,var/}run/timemaster/chrony.conf r, + # For use with clocks that report via shared memory (e.g. gpsd), # you may need to give ntpd access to all of shared memory, though # this can be considered dangerous. See https://launchpad.net/bugs/722815