[Touch-packages] [Bug 1582767] Re: apparmor permissions missing for winbind
** Changed in: ntp (Debian) Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ntp in Ubuntu. https://bugs.launchpad.net/bugs/1582767 Title: apparmor permissions missing for winbind Status in ntp package in Ubuntu: Fix Released Status in ntp source package in Xenial: Won't Fix Status in ntp package in Debian: Fix Released Bug description: When using Winbind, ntpd needs to access the Winbind pipe: May 17 16:23:15 bo kernel: [ 27.598551] type=1400 audit(1463494995.048:18): apparmor="DENIED" operation="connect" profile="/usr/sbin/ntpd" name="/run/samba/winbindd/pipe" pid=1517 comm="ntpd" requested_mask="rw" denied_mask="rw" fsuid=0 ouid=0 Would there be any reason not to allow this ? I added the following line to /etc/apparmor/init/network-interface-security/usr.sbin.ntpd: /run/samba/winbindd/pipe rw, Thanks! To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1582767/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1582767] Re: apparmor permissions missing for winbind
** Changed in: ntp (Debian) Status: Unknown => New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ntp in Ubuntu. https://bugs.launchpad.net/bugs/1582767 Title: apparmor permissions missing for winbind Status in ntp package in Ubuntu: Fix Released Status in ntp source package in Xenial: Won't Fix Status in ntp package in Debian: New Bug description: When using Winbind, ntpd needs to access the Winbind pipe: May 17 16:23:15 bo kernel: [ 27.598551] type=1400 audit(1463494995.048:18): apparmor="DENIED" operation="connect" profile="/usr/sbin/ntpd" name="/run/samba/winbindd/pipe" pid=1517 comm="ntpd" requested_mask="rw" denied_mask="rw" fsuid=0 ouid=0 Would there be any reason not to allow this ? I added the following line to /etc/apparmor/init/network-interface-security/usr.sbin.ntpd: /run/samba/winbindd/pipe rw, Thanks! To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1582767/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1582767] Re: apparmor permissions missing for winbind
I realized we carry this as Delta and there was no Debian report yet, I opened one and linked it up here. ** Bug watch added: Debian Bug tracker #861727 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861727 ** Also affects: ntp (Debian) via http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861727 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ntp in Ubuntu. https://bugs.launchpad.net/bugs/1582767 Title: apparmor permissions missing for winbind Status in ntp package in Ubuntu: Fix Released Status in ntp source package in Xenial: Won't Fix Status in ntp package in Debian: Unknown Bug description: When using Winbind, ntpd needs to access the Winbind pipe: May 17 16:23:15 bo kernel: [ 27.598551] type=1400 audit(1463494995.048:18): apparmor="DENIED" operation="connect" profile="/usr/sbin/ntpd" name="/run/samba/winbindd/pipe" pid=1517 comm="ntpd" requested_mask="rw" denied_mask="rw" fsuid=0 ouid=0 Would there be any reason not to allow this ? I added the following line to /etc/apparmor/init/network-interface-security/usr.sbin.ntpd: /run/samba/winbindd/pipe rw, Thanks! To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1582767/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1582767] Re: apparmor permissions missing for winbind
Hi, just to note I'd consider this not important enough for an SRU given the fact that it is a very rare case and people can add the rule themselves if the need to. ** Changed in: ntp (Ubuntu Xenial) Status: New => Won't Fix -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ntp in Ubuntu. https://bugs.launchpad.net/bugs/1582767 Title: apparmor permissions missing for winbind Status in ntp package in Ubuntu: Fix Released Status in ntp source package in Xenial: Won't Fix Bug description: When using Winbind, ntpd needs to access the Winbind pipe: May 17 16:23:15 bo kernel: [ 27.598551] type=1400 audit(1463494995.048:18): apparmor="DENIED" operation="connect" profile="/usr/sbin/ntpd" name="/run/samba/winbindd/pipe" pid=1517 comm="ntpd" requested_mask="rw" denied_mask="rw" fsuid=0 ouid=0 Would there be any reason not to allow this ? I added the following line to /etc/apparmor/init/network-interface-security/usr.sbin.ntpd: /run/samba/winbindd/pipe rw, Thanks! To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1582767/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1582767] Re: apparmor permissions missing for winbind
This bug was fixed in the package ntp - 1:4.2.8p8+dfsg-1ubuntu1 --- ntp (1:4.2.8p8+dfsg-1ubuntu1) yakkety; urgency=medium [ Christian Ehrhardt ] * Merge from Debian testing. Remaining changes: + debian/rules: enable debugging. Asked debian to add this in bug #643954. + debian/rules, debian/ntp.dirs, debian/source_ntp.py: Add apport hook. + debian/control: Add Suggests on apparmor. + debian/source_ntp.py: Add filter on AppArmor profile names to prevent false positives from denials originating in other packages + debian/ntpdate.if-up: Fix interaction with openntpd. Stop ntp before running ntpdate when an interface comes up, then start again afterwards. + debian/ntp.init, debian/rules: Only stop when entering single user mode, don't use /var/lib/ntp/ntp.conf.dhcp if /etc/ntp.conf is newer - it can get stale. Patch by Simon Déziel. + debian/ntp.conf, debian/ntpdate.default: Change default server to ntp.ubuntu.com. + debian/control: Add bison to Build-Depends (for ntpd/ntp_parser.y). + Extend PPS support - debian/README.Debian: Add a PPS section to the README.Debian - debian/ntp.conf: Add some configuration examples from the offical documentation. + SECURITY UPDATE: NTP statsdir cleanup cronjob insecure (LP: #1528050) - debian/ntp.cron.daily: fix security issues, patch thanks to halfdog! - CVE-2016-0727 + Merge also contains an upstream fix that solves (LP: #1567540) * Added changes + match Ubuntu packages now that Debian has ntp apparmor accepted in d/control for Apparmor conflicts/replaces + d/apparmor-profile add samba winbindd pipe (LP: #1582767) * Drop Changes: + Add enforcing AppArmor profile (accepted in Debian): - debian/control: Add Conflicts/Replaces on apparmor-profiles. - debian/control: Add Suggests on apparmor. - debian/control: Build-Depends on dh-apparmor. - add debian/apparmor-profile*. - debian/ntp.dirs: Add apparmor directories. - debian/rules: Install apparmor-profile and apparmor-profile.tunable. - debian/source_ntp.py: Add filter on AppArmor profile names to prevent false positives from denials originating in other packages. - debian/README.Debian: Add note on AppArmor. + Add PPS support (accepted in Debian) - debian/control: Add Build-Depends on pps-tools + debian/apparmor-profile: allow 'rw' access to /dev/pps[0-9]* devices. + d/p/fix_local_sync.patch: fix local clock sync (fixed upstream) + debian/patches/ntpdate-fix-lp1526264.patch (fixed upstream): - Add Alfonso Sanchez-Beato's patch for fixing the cannot correct dates in the future bug + debian/apparmor-profile: adjust to handle AF_UNSPEC with dgram and stream + dropping previous ubuntu security patches/fixes that have been upstreamed in 4.2.8p6: CVE-2015-7973, CVE-2015-7975, CVE-2015-7976, CVE-2015-7977, CVE-2015-7978, CVE-2015-7979, CVE-2015-8138, CVE-2015-8158 + dropping previous ubuntu security patches/fixes that have been upstreamed in 4.2.8p7: CVE-2016-1548, CVE-2016-1550, CVE-2016-2516, CVE-2016-2518, CVE-2015-7974, CVE-2016-1547 [ Robie Basak ] * Restore AppArmor entries in debian/ntp.dirs. ntp (1:4.2.8p8+dfsg-1) unstable; urgency=high * New usptream version - Fixes security issues ntp (1:4.2.8p7+dfsg-4) unstable; urgency=high * Update apparmor-profiles-extra again now we now in which version they removed it. * Call dh_apparmor. Add build-depends on dh-apparmor. (Closes: #824767) ntp (1:4.2.8p7+dfsg-3) unstable; urgency=medium [ Hideki Yamane ] * Properly enable Apparmor profile from Ubuntu (Closes: #823024) Patch from Hideki Yamane* Update replace/breaks versions of apparmor-profiles-extra (Closes: #805183) ntp (1:4.2.8p7+dfsg-2) unstable; urgency=medium * Only build-depend on pps-tools on Linux ntp (1:4.2.8p7+dfsg-1) unstable; urgency=medium * New upstream version This might fix a few CVEs. * Drop CVE-2015-5300.patch and CVE-2015-7704.patch now claimed to be fixed upstream. * Remove Bdale from uploaders (Closes: #804377) * Remove section about patching the kernel for PPS support, it's already included in the kernel (Closes: #811171) * Pass --build and --host to configure. (Closes: #315935) Patch from Helmut Grohne * Missing Build-Depends libopts25-dev (which is not implicit in autogen, because autogen is M-A:foreign). Patch from Helmut Grohne * Fix ntp.dhcp to also check for pool and better handle spaces and tabs. (Closes: #809344, #806676) * Change watch file to use https (Closes: #793926) * Hook into NetworkManager to update ntp servers from dhcp. (Closes: #778415). Patch from Helmut Grohne * Build Depend on pps-tools (Closes: #691672) * Don't run ntpdate when method is
[Touch-packages] [Bug 1582767] Re: apparmor permissions missing for winbind
** Also affects: ntp (Ubuntu Xenial) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ntp in Ubuntu. https://bugs.launchpad.net/bugs/1582767 Title: apparmor permissions missing for winbind Status in ntp package in Ubuntu: Triaged Status in ntp source package in Xenial: New Bug description: When using Winbind, ntpd needs to access the Winbind pipe: May 17 16:23:15 bo kernel: [ 27.598551] type=1400 audit(1463494995.048:18): apparmor="DENIED" operation="connect" profile="/usr/sbin/ntpd" name="/run/samba/winbindd/pipe" pid=1517 comm="ntpd" requested_mask="rw" denied_mask="rw" fsuid=0 ouid=0 Would there be any reason not to allow this ? I added the following line to /etc/apparmor/init/network-interface-security/usr.sbin.ntpd: /run/samba/winbindd/pipe rw, Thanks! To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1582767/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1582767] Re: apparmor permissions missing for winbind
@Robie, I'd intend to do so as the fix is rather easy, but i depends on the co-work of the reporter for verification. I'd say yes please create a task but we keep it at low prio until verification support takes place. I'll do the nominate. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ntp in Ubuntu. https://bugs.launchpad.net/bugs/1582767 Title: apparmor permissions missing for winbind Status in ntp package in Ubuntu: Triaged Bug description: When using Winbind, ntpd needs to access the Winbind pipe: May 17 16:23:15 bo kernel: [ 27.598551] type=1400 audit(1463494995.048:18): apparmor="DENIED" operation="connect" profile="/usr/sbin/ntpd" name="/run/samba/winbindd/pipe" pid=1517 comm="ntpd" requested_mask="rw" denied_mask="rw" fsuid=0 ouid=0 Would there be any reason not to allow this ? I added the following line to /etc/apparmor/init/network-interface-security/usr.sbin.ntpd: /run/samba/winbindd/pipe rw, Thanks! To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1582767/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1582767] Re: apparmor permissions missing for winbind
@Christian Do you intend to SRU this to Xenial? Should I create a bug task for it? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ntp in Ubuntu. https://bugs.launchpad.net/bugs/1582767 Title: apparmor permissions missing for winbind Status in ntp package in Ubuntu: Triaged Bug description: When using Winbind, ntpd needs to access the Winbind pipe: May 17 16:23:15 bo kernel: [ 27.598551] type=1400 audit(1463494995.048:18): apparmor="DENIED" operation="connect" profile="/usr/sbin/ntpd" name="/run/samba/winbindd/pipe" pid=1517 comm="ntpd" requested_mask="rw" denied_mask="rw" fsuid=0 ouid=0 Would there be any reason not to allow this ? I added the following line to /etc/apparmor/init/network-interface-security/usr.sbin.ntpd: /run/samba/winbindd/pipe rw, Thanks! To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1582767/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
Re: [Touch-packages] [Bug 1582767] Re: apparmor permissions missing for winbind
Thanks already for your commitment to help! The final fix is currently in review, as it is is part of a merge and that changes much more. To give you a way to pre-evaluate I put it in a ppa at https://launchpad.net/~paelzer/+archive/ubuntu/ntp-test-bug-1582767 This silently will tests all other changes as well if they get you or your environment into any trouble as well. Christian Ehrhardt Software Engineer, Ubuntu Server Canonical Ltd On Fri, Jul 8, 2016 at 5:09 PM, Eric Delaetwrote: > Hi Christian, > > Sure, if you have a beta package or so I'm ready to test it. Just > deployed another server and saw the same behaviour, so it's easy to > replicate for me and to check if the error is gone. > > -- > You received this bug notification because you are a bug assignee. > https://bugs.launchpad.net/bugs/1582767 > > Title: > apparmor permissions missing for winbind > > Status in ntp package in Ubuntu: > Triaged > > Bug description: > When using Winbind, ntpd needs to access the Winbind pipe: > > May 17 16:23:15 bo kernel: [ 27.598551] type=1400 > audit(1463494995.048:18): apparmor="DENIED" operation="connect" > profile="/usr/sbin/ntpd" name="/run/samba/winbindd/pipe" pid=1517 > comm="ntpd" requested_mask="rw" denied_mask="rw" fsuid=0 ouid=0 > > Would there be any reason not to allow this ? I added the following > line to /etc/apparmor/init/network-interface-security/usr.sbin.ntpd: > > /run/samba/winbindd/pipe rw, > > Thanks! > > To manage notifications about this bug go to: > https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1582767/+subscriptions > -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ntp in Ubuntu. https://bugs.launchpad.net/bugs/1582767 Title: apparmor permissions missing for winbind Status in ntp package in Ubuntu: Triaged Bug description: When using Winbind, ntpd needs to access the Winbind pipe: May 17 16:23:15 bo kernel: [ 27.598551] type=1400 audit(1463494995.048:18): apparmor="DENIED" operation="connect" profile="/usr/sbin/ntpd" name="/run/samba/winbindd/pipe" pid=1517 comm="ntpd" requested_mask="rw" denied_mask="rw" fsuid=0 ouid=0 Would there be any reason not to allow this ? I added the following line to /etc/apparmor/init/network-interface-security/usr.sbin.ntpd: /run/samba/winbindd/pipe rw, Thanks! To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1582767/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1582767] Re: apparmor permissions missing for winbind
Hi Christian, Sure, if you have a beta package or so I'm ready to test it. Just deployed another server and saw the same behaviour, so it's easy to replicate for me and to check if the error is gone. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ntp in Ubuntu. https://bugs.launchpad.net/bugs/1582767 Title: apparmor permissions missing for winbind Status in ntp package in Ubuntu: Triaged Bug description: When using Winbind, ntpd needs to access the Winbind pipe: May 17 16:23:15 bo kernel: [ 27.598551] type=1400 audit(1463494995.048:18): apparmor="DENIED" operation="connect" profile="/usr/sbin/ntpd" name="/run/samba/winbindd/pipe" pid=1517 comm="ntpd" requested_mask="rw" denied_mask="rw" fsuid=0 ouid=0 Would there be any reason not to allow this ? I added the following line to /etc/apparmor/init/network-interface-security/usr.sbin.ntpd: /run/samba/winbindd/pipe rw, Thanks! To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1582767/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1582767] Re: apparmor permissions missing for winbind
Hi, I was preparing to integrate this change together with a lot of others. While testing I couldn't get it to trigger the issue you described. Lacking a "real" ADS to link to I went for a being a PDC on my own - but at least in that setup the issue didn't show up. Fortunately the change is small and not very intrusive, so I think we can still keep it. But as a heads up once this will be available in yakkety I'll have to ask you to verify this. I'll ping this bug then to let you know. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ntp in Ubuntu. https://bugs.launchpad.net/bugs/1582767 Title: apparmor permissions missing for winbind Status in ntp package in Ubuntu: Triaged Bug description: When using Winbind, ntpd needs to access the Winbind pipe: May 17 16:23:15 bo kernel: [ 27.598551] type=1400 audit(1463494995.048:18): apparmor="DENIED" operation="connect" profile="/usr/sbin/ntpd" name="/run/samba/winbindd/pipe" pid=1517 comm="ntpd" requested_mask="rw" denied_mask="rw" fsuid=0 ouid=0 Would there be any reason not to allow this ? I added the following line to /etc/apparmor/init/network-interface-security/usr.sbin.ntpd: /run/samba/winbindd/pipe rw, Thanks! To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1582767/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1582767] Re: apparmor permissions missing for winbind
If one can find slight modifications to this conf without needing an actual real ADS, but still triggering the bug please let me know. ** Attachment added: "samba conf as PDC trying to trigger the bug" https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1582767/+attachment/4695719/+files/smb.conf -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ntp in Ubuntu. https://bugs.launchpad.net/bugs/1582767 Title: apparmor permissions missing for winbind Status in ntp package in Ubuntu: Triaged Bug description: When using Winbind, ntpd needs to access the Winbind pipe: May 17 16:23:15 bo kernel: [ 27.598551] type=1400 audit(1463494995.048:18): apparmor="DENIED" operation="connect" profile="/usr/sbin/ntpd" name="/run/samba/winbindd/pipe" pid=1517 comm="ntpd" requested_mask="rw" denied_mask="rw" fsuid=0 ouid=0 Would there be any reason not to allow this ? I added the following line to /etc/apparmor/init/network-interface-security/usr.sbin.ntpd: /run/samba/winbindd/pipe rw, Thanks! To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1582767/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1582767] Re: apparmor permissions missing for winbind
Hi Eric, thanks for sharing. I think I'm good for now - need to find the time to actually package it which has a few other dependencies atm. If while testing I find that I need more I'll let you know - and certainly for this bug I'd love to have you test it as well once it is packaged, built and available for testing. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ntp in Ubuntu. https://bugs.launchpad.net/bugs/1582767 Title: apparmor permissions missing for winbind Status in ntp package in Ubuntu: Triaged Bug description: When using Winbind, ntpd needs to access the Winbind pipe: May 17 16:23:15 bo kernel: [ 27.598551] type=1400 audit(1463494995.048:18): apparmor="DENIED" operation="connect" profile="/usr/sbin/ntpd" name="/run/samba/winbindd/pipe" pid=1517 comm="ntpd" requested_mask="rw" denied_mask="rw" fsuid=0 ouid=0 Would there be any reason not to allow this ? I added the following line to /etc/apparmor/init/network-interface-security/usr.sbin.ntpd: /run/samba/winbindd/pipe rw, Thanks! To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1582767/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1582767] Re: apparmor permissions missing for winbind
Hello Christian, I'm using Samba with winbind to connect to Active Directory as a slave server. I guess that's why it wants to read the syncronized time. My Samba setup: netbios name = workgroup = realm =
[Touch-packages] [Bug 1582767] Re: apparmor permissions missing for winbind
** Changed in: ntp (Ubuntu) Assignee: Wesley Wiedenmeier (wesley-wiedenmeier) => (unassigned) ** Changed in: ntp (Ubuntu) Assignee: (unassigned) => ChristianEhrhardt (paelzer) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ntp in Ubuntu. https://bugs.launchpad.net/bugs/1582767 Title: apparmor permissions missing for winbind Status in ntp package in Ubuntu: Triaged Bug description: When using Winbind, ntpd needs to access the Winbind pipe: May 17 16:23:15 bo kernel: [ 27.598551] type=1400 audit(1463494995.048:18): apparmor="DENIED" operation="connect" profile="/usr/sbin/ntpd" name="/run/samba/winbindd/pipe" pid=1517 comm="ntpd" requested_mask="rw" denied_mask="rw" fsuid=0 ouid=0 Would there be any reason not to allow this ? I added the following line to /etc/apparmor/init/network-interface-security/usr.sbin.ntpd: /run/samba/winbindd/pipe rw, Thanks! To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1582767/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1582767] Re: apparmor permissions missing for winbind
Hi Eric, adding that rule sounds totally reasonable and we are looking to integrate that. To ease testing as I never set such a thing up before I wanted to ask if you could you share some config details how to set it up this way so it triggers the issue you face? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ntp in Ubuntu. https://bugs.launchpad.net/bugs/1582767 Title: apparmor permissions missing for winbind Status in ntp package in Ubuntu: Triaged Bug description: When using Winbind, ntpd needs to access the Winbind pipe: May 17 16:23:15 bo kernel: [ 27.598551] type=1400 audit(1463494995.048:18): apparmor="DENIED" operation="connect" profile="/usr/sbin/ntpd" name="/run/samba/winbindd/pipe" pid=1517 comm="ntpd" requested_mask="rw" denied_mask="rw" fsuid=0 ouid=0 Would there be any reason not to allow this ? I added the following line to /etc/apparmor/init/network-interface-security/usr.sbin.ntpd: /run/samba/winbindd/pipe rw, Thanks! To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1582767/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1582767] Re: apparmor permissions missing for winbind
** Changed in: ntp (Ubuntu) Assignee: (unassigned) => Wesley Wiedenmeier (wesley-wiedenmeier) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ntp in Ubuntu. https://bugs.launchpad.net/bugs/1582767 Title: apparmor permissions missing for winbind Status in ntp package in Ubuntu: Triaged Bug description: When using Winbind, ntpd needs to access the Winbind pipe: May 17 16:23:15 bo kernel: [ 27.598551] type=1400 audit(1463494995.048:18): apparmor="DENIED" operation="connect" profile="/usr/sbin/ntpd" name="/run/samba/winbindd/pipe" pid=1517 comm="ntpd" requested_mask="rw" denied_mask="rw" fsuid=0 ouid=0 Would there be any reason not to allow this ? I added the following line to /etc/apparmor/init/network-interface-security/usr.sbin.ntpd: /run/samba/winbindd/pipe rw, Thanks! To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1582767/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1582767] Re: apparmor permissions missing for winbind
** Tags added: apparmor bitesize ** Changed in: ntp (Ubuntu) Status: New => Triaged ** Changed in: ntp (Ubuntu) Importance: Undecided => Medium -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ntp in Ubuntu. https://bugs.launchpad.net/bugs/1582767 Title: apparmor permissions missing for winbind Status in ntp package in Ubuntu: Triaged Bug description: When using Winbind, ntpd needs to access the Winbind pipe: May 17 16:23:15 bo kernel: [ 27.598551] type=1400 audit(1463494995.048:18): apparmor="DENIED" operation="connect" profile="/usr/sbin/ntpd" name="/run/samba/winbindd/pipe" pid=1517 comm="ntpd" requested_mask="rw" denied_mask="rw" fsuid=0 ouid=0 Would there be any reason not to allow this ? I added the following line to /etc/apparmor/init/network-interface-security/usr.sbin.ntpd: /run/samba/winbindd/pipe rw, Thanks! To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1582767/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp