Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi,
[ Reason ]
The AppArmor profile for chronyd does not include a rule to read the chronyd
configuration file generated by the timemaster program.
[ Impact ]
Without the proposed fix, users must override the Apparmor profile (or at worse
set the profile to complain mode) to flowlessly use chronyd with timemaster.
[ Tests ]
I checked that AppArmor no longer sends 'denied' log entries as seen in
#1004745 when using chronyd with timemaster.
[ Risks ]
Low. An equivalent fix sits in testing/unstable for over a month now without
any regression so far.
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Adding a rule in the AppArmor profile to allow chronyd to read the
configuration file /run/timemaster/chrony.conf
Cheers,
Vincent
-BEGIN PGP SIGNATURE-
iHUEARYKAB0WIQSRJQjHKbAUfuoc+DAQn1qAt/bgAQUCYjEp0AAKCRAQn1qAt/bg
AT7sAQDwqm/E7R4J1CelQmf5dq9+BUU5BRzBxgboHwcfU6N1WwD/Scx21KLyOQdJ
89J1VMvMWWCQDPENpd8SLsVGwEDrPwY=
=L1xq
-END PGP SIGNATURE-
diff -Nru chrony-4.0/debian/changelog chrony-4.0/debian/changelog
--- chrony-4.0/debian/changelog 2021-10-19 22:02:40.0 +0200
+++ chrony-4.0/debian/changelog 2022-03-14 22:17:25.0 +0100
@@ -1,3 +1,11 @@
+chrony (4.0-8+deb11u2) bullseye; urgency=medium
+
+ * debian/usr.sbin.chronyd:
+- Allow reading the chronyd configuration file that timemaster(8)
+generates. Thanks to Michael Lestinsky for the report! (Closes: #1004745)
+
+ -- Vincent Blut Mon, 14 Mar 2022 22:17:25 +0100
+
chrony (4.0-8+deb11u1) bullseye; urgency=medium
* debian/patches/:
diff -Nru chrony-4.0/debian/usr.sbin.chronyd chrony-4.0/debian/usr.sbin.chronyd
--- chrony-4.0/debian/usr.sbin.chronyd 2021-10-19 22:02:40.0 +0200
+++ chrony-4.0/debian/usr.sbin.chronyd 2022-03-14 22:17:25.0 +0100
@@ -67,6 +67,9 @@
/dev/pps[0-9]* rw,
/dev/ptp[0-9]* rw,
+ # Allow reading the chronyd configuration file that timemaster(8) generates
+ @{run}/timemaster/chrony.conf r,
+
# For use with clocks that report via shared memory (e.g. gpsd),
# you may need to give ntpd access to all of shared memory, though
# this can be considered dangerous. See https://launchpad.net/bugs/722815