[Touch-packages] [Bug 1582767] Re: apparmor permissions missing for winbind

[Bug Watch Updater]

** Changed in: ntp (Debian)
   Status: New => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ntp in Ubuntu.
https://bugs.launchpad.net/bugs/1582767

Title:
  apparmor permissions missing for winbind

Status in ntp package in Ubuntu:
  Fix Released
Status in ntp source package in Xenial:
  Won't Fix
Status in ntp package in Debian:
  Fix Released

Bug description:
  When using Winbind, ntpd needs to access the Winbind pipe:

  May 17 16:23:15 bo kernel: [   27.598551] type=1400
  audit(1463494995.048:18): apparmor="DENIED" operation="connect"
  profile="/usr/sbin/ntpd" name="/run/samba/winbindd/pipe" pid=1517
  comm="ntpd" requested_mask="rw" denied_mask="rw" fsuid=0 ouid=0

  Would there be any reason not to allow this ? I added the following
  line to /etc/apparmor/init/network-interface-security/usr.sbin.ntpd:

  /run/samba/winbindd/pipe rw,

  Thanks!

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1582767/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1582767] Re: apparmor permissions missing for winbind

[Bug Watch Updater]

** Changed in: ntp (Debian)
   Status: Unknown => New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ntp in Ubuntu.
https://bugs.launchpad.net/bugs/1582767

Title:
  apparmor permissions missing for winbind

Status in ntp package in Ubuntu:
  Fix Released
Status in ntp source package in Xenial:
  Won't Fix
Status in ntp package in Debian:
  New

Bug description:
  When using Winbind, ntpd needs to access the Winbind pipe:

  May 17 16:23:15 bo kernel: [   27.598551] type=1400
  audit(1463494995.048:18): apparmor="DENIED" operation="connect"
  profile="/usr/sbin/ntpd" name="/run/samba/winbindd/pipe" pid=1517
  comm="ntpd" requested_mask="rw" denied_mask="rw" fsuid=0 ouid=0

  Would there be any reason not to allow this ? I added the following
  line to /etc/apparmor/init/network-interface-security/usr.sbin.ntpd:

  /run/samba/winbindd/pipe rw,

  Thanks!

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1582767/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1582767] Re: apparmor permissions missing for winbind

[ChristianEhrhardt]

I realized we carry this as Delta and there was no Debian report yet, I
opened one and linked it up here.

** Bug watch added: Debian Bug tracker #861727
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861727

** Also affects: ntp (Debian) via
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861727
   Importance: Unknown
   Status: Unknown

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ntp in Ubuntu.
https://bugs.launchpad.net/bugs/1582767

Title:
  apparmor permissions missing for winbind

Status in ntp package in Ubuntu:
  Fix Released
Status in ntp source package in Xenial:
  Won't Fix
Status in ntp package in Debian:
  Unknown

Bug description:
  When using Winbind, ntpd needs to access the Winbind pipe:

  May 17 16:23:15 bo kernel: [   27.598551] type=1400
  audit(1463494995.048:18): apparmor="DENIED" operation="connect"
  profile="/usr/sbin/ntpd" name="/run/samba/winbindd/pipe" pid=1517
  comm="ntpd" requested_mask="rw" denied_mask="rw" fsuid=0 ouid=0

  Would there be any reason not to allow this ? I added the following
  line to /etc/apparmor/init/network-interface-security/usr.sbin.ntpd:

  /run/samba/winbindd/pipe rw,

  Thanks!

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1582767/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1582767] Re: apparmor permissions missing for winbind

[ChristianEhrhardt]

Hi,
just to note I'd consider this not important enough for an SRU given the fact 
that it is a very rare case and people can add the rule themselves if the need 
to.

** Changed in: ntp (Ubuntu Xenial)
   Status: New => Won't Fix

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ntp in Ubuntu.
https://bugs.launchpad.net/bugs/1582767

Title:
  apparmor permissions missing for winbind

Status in ntp package in Ubuntu:
  Fix Released
Status in ntp source package in Xenial:
  Won't Fix

Bug description:
  When using Winbind, ntpd needs to access the Winbind pipe:

  May 17 16:23:15 bo kernel: [   27.598551] type=1400
  audit(1463494995.048:18): apparmor="DENIED" operation="connect"
  profile="/usr/sbin/ntpd" name="/run/samba/winbindd/pipe" pid=1517
  comm="ntpd" requested_mask="rw" denied_mask="rw" fsuid=0 ouid=0

  Would there be any reason not to allow this ? I added the following
  line to /etc/apparmor/init/network-interface-security/usr.sbin.ntpd:

  /run/samba/winbindd/pipe rw,

  Thanks!

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1582767/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1582767] Re: apparmor permissions missing for winbind

[Launchpad Bug Tracker]

This bug was fixed in the package ntp - 1:4.2.8p8+dfsg-1ubuntu1

---
ntp (1:4.2.8p8+dfsg-1ubuntu1) yakkety; urgency=medium

  [ Christian Ehrhardt ]
  * Merge from Debian testing. Remaining changes:
+ debian/rules: enable debugging. Asked debian to add this in bug #643954.
+ debian/rules, debian/ntp.dirs, debian/source_ntp.py: Add apport hook.
+ debian/control: Add Suggests on apparmor.
+ debian/source_ntp.py: Add filter on AppArmor profile names to prevent
  false positives from denials originating in other packages
+ debian/ntpdate.if-up: Fix interaction with openntpd. Stop ntp before
  running ntpdate when an interface comes up, then start again afterwards.
+ debian/ntp.init, debian/rules: Only stop when entering single user mode,
  don't use /var/lib/ntp/ntp.conf.dhcp if /etc/ntp.conf is newer - it can
  get stale. Patch by Simon Déziel.
+ debian/ntp.conf, debian/ntpdate.default: Change default server to
  ntp.ubuntu.com.
+ debian/control: Add bison to Build-Depends (for ntpd/ntp_parser.y).
+ Extend PPS support
  - debian/README.Debian: Add a PPS section to the README.Debian
  - debian/ntp.conf: Add some configuration examples from the offical
documentation.
+ SECURITY UPDATE: NTP statsdir cleanup cronjob insecure (LP: #1528050)
  - debian/ntp.cron.daily: fix security issues, patch thanks to halfdog!
  - CVE-2016-0727
+ Merge also contains an upstream fix that solves (LP: #1567540)
  * Added changes
+ match Ubuntu packages now that Debian has ntp apparmor accepted in
  d/control for Apparmor conflicts/replaces
+ d/apparmor-profile add samba winbindd pipe (LP: #1582767)
  * Drop Changes:
+ Add enforcing AppArmor profile (accepted in Debian):
  - debian/control: Add Conflicts/Replaces on apparmor-profiles.
  - debian/control: Add Suggests on apparmor.
  - debian/control: Build-Depends on dh-apparmor.
  - add debian/apparmor-profile*.
  - debian/ntp.dirs: Add apparmor directories.
  - debian/rules: Install apparmor-profile and apparmor-profile.tunable.
  - debian/source_ntp.py: Add filter on AppArmor profile names to prevent
false positives from denials originating in other packages.
  - debian/README.Debian: Add note on AppArmor.
+ Add PPS support (accepted in Debian)
  - debian/control: Add Build-Depends on pps-tools
+ debian/apparmor-profile: allow 'rw' access to /dev/pps[0-9]* devices.
+ d/p/fix_local_sync.patch: fix local clock sync (fixed upstream)
+ debian/patches/ntpdate-fix-lp1526264.patch (fixed upstream):
  - Add Alfonso Sanchez-Beato's patch for fixing the cannot correct dates in
the future bug
+ debian/apparmor-profile: adjust to handle AF_UNSPEC with dgram and stream
+ dropping previous ubuntu security patches/fixes that have been upstreamed
  in 4.2.8p6: CVE-2015-7973, CVE-2015-7975, CVE-2015-7976, CVE-2015-7977,
  CVE-2015-7978, CVE-2015-7979, CVE-2015-8138, CVE-2015-8158
+ dropping previous ubuntu security patches/fixes that have been upstreamed
  in 4.2.8p7: CVE-2016-1548, CVE-2016-1550, CVE-2016-2516, CVE-2016-2518,
  CVE-2015-7974, CVE-2016-1547

  [ Robie Basak ]
  * Restore AppArmor entries in debian/ntp.dirs.

ntp (1:4.2.8p8+dfsg-1) unstable; urgency=high

  * New usptream version
- Fixes security issues

ntp (1:4.2.8p7+dfsg-4) unstable; urgency=high

  * Update apparmor-profiles-extra again now we now in which version they
removed it.
  * Call dh_apparmor.  Add build-depends on dh-apparmor.  (Closes: #824767)

ntp (1:4.2.8p7+dfsg-3) unstable; urgency=medium

  [ Hideki Yamane ]
  * Properly enable Apparmor profile from Ubuntu (Closes: #823024)
Patch from Hideki Yamane 
  * Update replace/breaks versions of apparmor-profiles-extra
(Closes: #805183)

ntp (1:4.2.8p7+dfsg-2) unstable; urgency=medium

  * Only build-depend on pps-tools on Linux

ntp (1:4.2.8p7+dfsg-1) unstable; urgency=medium

  * New upstream version
This might fix a few CVEs.
  * Drop CVE-2015-5300.patch and CVE-2015-7704.patch now claimed to
be fixed upstream.
  * Remove Bdale from uploaders (Closes: #804377)
  * Remove section about patching the kernel for PPS support, it's already
included in the kernel (Closes: #811171)
  * Pass --build and --host to configure. (Closes: #315935)
Patch from Helmut Grohne 
  * Missing Build-Depends libopts25-dev (which is not implicit in autogen,
because autogen is M-A:foreign).
Patch from Helmut Grohne 
  * Fix ntp.dhcp to also check for pool and better handle spaces and tabs.
(Closes: #809344, #806676)
  * Change watch file to use https (Closes: #793926)
  * Hook into NetworkManager to update ntp servers from dhcp. (Closes:
#778415).  Patch from Helmut Grohne 
  * Build Depend on pps-tools (Closes: #691672)
  * Don't run ntpdate when method is 

[Touch-packages] [Bug 1582767] Re: apparmor permissions missing for winbind

[Robie Basak]

** Also affects: ntp (Ubuntu Xenial)
   Importance: Undecided
   Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ntp in Ubuntu.
https://bugs.launchpad.net/bugs/1582767

Title:
  apparmor permissions missing for winbind

Status in ntp package in Ubuntu:
  Triaged
Status in ntp source package in Xenial:
  New

Bug description:
  When using Winbind, ntpd needs to access the Winbind pipe:

  May 17 16:23:15 bo kernel: [   27.598551] type=1400
  audit(1463494995.048:18): apparmor="DENIED" operation="connect"
  profile="/usr/sbin/ntpd" name="/run/samba/winbindd/pipe" pid=1517
  comm="ntpd" requested_mask="rw" denied_mask="rw" fsuid=0 ouid=0

  Would there be any reason not to allow this ? I added the following
  line to /etc/apparmor/init/network-interface-security/usr.sbin.ntpd:

  /run/samba/winbindd/pipe rw,

  Thanks!

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1582767/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1582767] Re: apparmor permissions missing for winbind

[ChristianEhrhardt]

@Robie,
I'd intend to do so as the fix is rather easy, but i depends on the co-work of 
the reporter for verification. I'd say yes please create a task but we keep it 
at low prio until verification support takes place. I'll do the nominate.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ntp in Ubuntu.
https://bugs.launchpad.net/bugs/1582767

Title:
  apparmor permissions missing for winbind

Status in ntp package in Ubuntu:
  Triaged

Bug description:
  When using Winbind, ntpd needs to access the Winbind pipe:

  May 17 16:23:15 bo kernel: [   27.598551] type=1400
  audit(1463494995.048:18): apparmor="DENIED" operation="connect"
  profile="/usr/sbin/ntpd" name="/run/samba/winbindd/pipe" pid=1517
  comm="ntpd" requested_mask="rw" denied_mask="rw" fsuid=0 ouid=0

  Would there be any reason not to allow this ? I added the following
  line to /etc/apparmor/init/network-interface-security/usr.sbin.ntpd:

  /run/samba/winbindd/pipe rw,

  Thanks!

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1582767/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1582767] Re: apparmor permissions missing for winbind

[Robie Basak]

@Christian

Do you intend to SRU this to Xenial? Should I create a bug task for it?

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ntp in Ubuntu.
https://bugs.launchpad.net/bugs/1582767

Title:
  apparmor permissions missing for winbind

Status in ntp package in Ubuntu:
  Triaged

Bug description:
  When using Winbind, ntpd needs to access the Winbind pipe:

  May 17 16:23:15 bo kernel: [   27.598551] type=1400
  audit(1463494995.048:18): apparmor="DENIED" operation="connect"
  profile="/usr/sbin/ntpd" name="/run/samba/winbindd/pipe" pid=1517
  comm="ntpd" requested_mask="rw" denied_mask="rw" fsuid=0 ouid=0

  Would there be any reason not to allow this ? I added the following
  line to /etc/apparmor/init/network-interface-security/usr.sbin.ntpd:

  /run/samba/winbindd/pipe rw,

  Thanks!

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1582767/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Re: [Touch-packages] [Bug 1582767] Re: apparmor permissions missing for winbind

[ChristianEhrhardt]

Thanks already for your commitment to help!
The final fix is currently in review, as it is  is part of a merge and that
changes much more.

To give you a way to pre-evaluate I put it in a ppa at
https://launchpad.net/~paelzer/+archive/ubuntu/ntp-test-bug-1582767
This silently will tests all other changes as well if they get you or your
environment into any trouble as well.

Christian Ehrhardt
Software Engineer, Ubuntu Server
Canonical Ltd

On Fri, Jul 8, 2016 at 5:09 PM, Eric Delaet  wrote:

> Hi Christian,
>
> Sure, if you have a beta package or so I'm ready to test it. Just
> deployed another server and saw the same behaviour, so it's easy to
> replicate for me and to check if the error is gone.
>
> --
> You received this bug notification because you are a bug assignee.
> https://bugs.launchpad.net/bugs/1582767
>
> Title:
>   apparmor permissions missing for winbind
>
> Status in ntp package in Ubuntu:
>   Triaged
>
> Bug description:
>   When using Winbind, ntpd needs to access the Winbind pipe:
>
>   May 17 16:23:15 bo kernel: [   27.598551] type=1400
>   audit(1463494995.048:18): apparmor="DENIED" operation="connect"
>   profile="/usr/sbin/ntpd" name="/run/samba/winbindd/pipe" pid=1517
>   comm="ntpd" requested_mask="rw" denied_mask="rw" fsuid=0 ouid=0
>
>   Would there be any reason not to allow this ? I added the following
>   line to /etc/apparmor/init/network-interface-security/usr.sbin.ntpd:
>
>   /run/samba/winbindd/pipe rw,
>
>   Thanks!
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1582767/+subscriptions
>

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ntp in Ubuntu.
https://bugs.launchpad.net/bugs/1582767

Title:
  apparmor permissions missing for winbind

Status in ntp package in Ubuntu:
  Triaged

Bug description:
  When using Winbind, ntpd needs to access the Winbind pipe:

  May 17 16:23:15 bo kernel: [   27.598551] type=1400
  audit(1463494995.048:18): apparmor="DENIED" operation="connect"
  profile="/usr/sbin/ntpd" name="/run/samba/winbindd/pipe" pid=1517
  comm="ntpd" requested_mask="rw" denied_mask="rw" fsuid=0 ouid=0

  Would there be any reason not to allow this ? I added the following
  line to /etc/apparmor/init/network-interface-security/usr.sbin.ntpd:

  /run/samba/winbindd/pipe rw,

  Thanks!

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1582767/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1582767] Re: apparmor permissions missing for winbind

[Eric Delaet]

Hi Christian,

Sure, if you have a beta package or so I'm ready to test it. Just
deployed another server and saw the same behaviour, so it's easy to
replicate for me and to check if the error is gone.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ntp in Ubuntu.
https://bugs.launchpad.net/bugs/1582767

Title:
  apparmor permissions missing for winbind

Status in ntp package in Ubuntu:
  Triaged

Bug description:
  When using Winbind, ntpd needs to access the Winbind pipe:

  May 17 16:23:15 bo kernel: [   27.598551] type=1400
  audit(1463494995.048:18): apparmor="DENIED" operation="connect"
  profile="/usr/sbin/ntpd" name="/run/samba/winbindd/pipe" pid=1517
  comm="ntpd" requested_mask="rw" denied_mask="rw" fsuid=0 ouid=0

  Would there be any reason not to allow this ? I added the following
  line to /etc/apparmor/init/network-interface-security/usr.sbin.ntpd:

  /run/samba/winbindd/pipe rw,

  Thanks!

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1582767/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1582767] Re: apparmor permissions missing for winbind

[ChristianEhrhardt]

Hi,
I was preparing to integrate this change together with a lot of others.
While testing I couldn't get it to trigger the issue you described.

Lacking a "real" ADS to link to I went for a being a PDC on my own - but
at least in that setup the issue didn't show up.

Fortunately the change is small and not very intrusive, so I think we can still 
keep it.
But as a heads up once this will be available in yakkety I'll have to ask you 
to verify this.
I'll ping this bug then to let you know.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ntp in Ubuntu.
https://bugs.launchpad.net/bugs/1582767

Title:
  apparmor permissions missing for winbind

Status in ntp package in Ubuntu:
  Triaged

Bug description:
  When using Winbind, ntpd needs to access the Winbind pipe:

  May 17 16:23:15 bo kernel: [   27.598551] type=1400
  audit(1463494995.048:18): apparmor="DENIED" operation="connect"
  profile="/usr/sbin/ntpd" name="/run/samba/winbindd/pipe" pid=1517
  comm="ntpd" requested_mask="rw" denied_mask="rw" fsuid=0 ouid=0

  Would there be any reason not to allow this ? I added the following
  line to /etc/apparmor/init/network-interface-security/usr.sbin.ntpd:

  /run/samba/winbindd/pipe rw,

  Thanks!

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1582767/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1582767] Re: apparmor permissions missing for winbind

[ChristianEhrhardt]

If one can find slight modifications to this conf without needing an
actual real ADS, but still triggering the bug please let me know.

** Attachment added: "samba conf as PDC trying to trigger the bug"
   
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1582767/+attachment/4695719/+files/smb.conf

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ntp in Ubuntu.
https://bugs.launchpad.net/bugs/1582767

Title:
  apparmor permissions missing for winbind

Status in ntp package in Ubuntu:
  Triaged

Bug description:
  When using Winbind, ntpd needs to access the Winbind pipe:

  May 17 16:23:15 bo kernel: [   27.598551] type=1400
  audit(1463494995.048:18): apparmor="DENIED" operation="connect"
  profile="/usr/sbin/ntpd" name="/run/samba/winbindd/pipe" pid=1517
  comm="ntpd" requested_mask="rw" denied_mask="rw" fsuid=0 ouid=0

  Would there be any reason not to allow this ? I added the following
  line to /etc/apparmor/init/network-interface-security/usr.sbin.ntpd:

  /run/samba/winbindd/pipe rw,

  Thanks!

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1582767/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1582767] Re: apparmor permissions missing for winbind

[ChristianEhrhardt]

Hi Eric,
thanks for sharing.
I think I'm good for now - need to find the time to actually package it which 
has a few other dependencies atm.
If while testing I find that I need more I'll let you know - and certainly for 
this bug I'd love to have you test it as well once it is packaged, built and 
available for testing.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ntp in Ubuntu.
https://bugs.launchpad.net/bugs/1582767

Title:
  apparmor permissions missing for winbind

Status in ntp package in Ubuntu:
  Triaged

Bug description:
  When using Winbind, ntpd needs to access the Winbind pipe:

  May 17 16:23:15 bo kernel: [   27.598551] type=1400
  audit(1463494995.048:18): apparmor="DENIED" operation="connect"
  profile="/usr/sbin/ntpd" name="/run/samba/winbindd/pipe" pid=1517
  comm="ntpd" requested_mask="rw" denied_mask="rw" fsuid=0 ouid=0

  Would there be any reason not to allow this ? I added the following
  line to /etc/apparmor/init/network-interface-security/usr.sbin.ntpd:

  /run/samba/winbindd/pipe rw,

  Thanks!

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1582767/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1582767] Re: apparmor permissions missing for winbind

[Eric Delaet]

Hello Christian,

I'm using Samba with winbind to connect to Active Directory as a slave
server. I guess that's why it wants to read the syncronized time. My
Samba setup:

  netbios name = 
  workgroup = 
  realm = 

[Touch-packages] [Bug 1582767] Re: apparmor permissions missing for winbind

[Wesley Wiedenmeier]

** Changed in: ntp (Ubuntu)
 Assignee: Wesley Wiedenmeier (wesley-wiedenmeier) => (unassigned)

** Changed in: ntp (Ubuntu)
 Assignee: (unassigned) => ChristianEhrhardt (paelzer)

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ntp in Ubuntu.
https://bugs.launchpad.net/bugs/1582767

Title:
  apparmor permissions missing for winbind

Status in ntp package in Ubuntu:
  Triaged

Bug description:
  When using Winbind, ntpd needs to access the Winbind pipe:

  May 17 16:23:15 bo kernel: [   27.598551] type=1400
  audit(1463494995.048:18): apparmor="DENIED" operation="connect"
  profile="/usr/sbin/ntpd" name="/run/samba/winbindd/pipe" pid=1517
  comm="ntpd" requested_mask="rw" denied_mask="rw" fsuid=0 ouid=0

  Would there be any reason not to allow this ? I added the following
  line to /etc/apparmor/init/network-interface-security/usr.sbin.ntpd:

  /run/samba/winbindd/pipe rw,

  Thanks!

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1582767/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1582767] Re: apparmor permissions missing for winbind

[ChristianEhrhardt]

Hi Eric,
adding that rule sounds totally reasonable and we are looking to integrate that.

To ease testing as I never set such a thing up before I wanted to ask if
you could you share some config details how to set it up this way so it
triggers the issue you face?

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ntp in Ubuntu.
https://bugs.launchpad.net/bugs/1582767

Title:
  apparmor permissions missing for winbind

Status in ntp package in Ubuntu:
  Triaged

Bug description:
  When using Winbind, ntpd needs to access the Winbind pipe:

  May 17 16:23:15 bo kernel: [   27.598551] type=1400
  audit(1463494995.048:18): apparmor="DENIED" operation="connect"
  profile="/usr/sbin/ntpd" name="/run/samba/winbindd/pipe" pid=1517
  comm="ntpd" requested_mask="rw" denied_mask="rw" fsuid=0 ouid=0

  Would there be any reason not to allow this ? I added the following
  line to /etc/apparmor/init/network-interface-security/usr.sbin.ntpd:

  /run/samba/winbindd/pipe rw,

  Thanks!

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1582767/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1582767] Re: apparmor permissions missing for winbind

[Robie Basak]

** Changed in: ntp (Ubuntu)
 Assignee: (unassigned) => Wesley Wiedenmeier (wesley-wiedenmeier)

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ntp in Ubuntu.
https://bugs.launchpad.net/bugs/1582767

Title:
  apparmor permissions missing for winbind

Status in ntp package in Ubuntu:
  Triaged

Bug description:
  When using Winbind, ntpd needs to access the Winbind pipe:

  May 17 16:23:15 bo kernel: [   27.598551] type=1400
  audit(1463494995.048:18): apparmor="DENIED" operation="connect"
  profile="/usr/sbin/ntpd" name="/run/samba/winbindd/pipe" pid=1517
  comm="ntpd" requested_mask="rw" denied_mask="rw" fsuid=0 ouid=0

  Would there be any reason not to allow this ? I added the following
  line to /etc/apparmor/init/network-interface-security/usr.sbin.ntpd:

  /run/samba/winbindd/pipe rw,

  Thanks!

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1582767/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1582767] Re: apparmor permissions missing for winbind

[Robie Basak]

** Tags added: apparmor bitesize

** Changed in: ntp (Ubuntu)
   Status: New => Triaged

** Changed in: ntp (Ubuntu)
   Importance: Undecided => Medium

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ntp in Ubuntu.
https://bugs.launchpad.net/bugs/1582767

Title:
  apparmor permissions missing for winbind

Status in ntp package in Ubuntu:
  Triaged

Bug description:
  When using Winbind, ntpd needs to access the Winbind pipe:

  May 17 16:23:15 bo kernel: [   27.598551] type=1400
  audit(1463494995.048:18): apparmor="DENIED" operation="connect"
  profile="/usr/sbin/ntpd" name="/run/samba/winbindd/pipe" pid=1517
  comm="ntpd" requested_mask="rw" denied_mask="rw" fsuid=0 ouid=0

  Would there be any reason not to allow this ? I added the following
  line to /etc/apparmor/init/network-interface-security/usr.sbin.ntpd:

  /run/samba/winbindd/pipe rw,

  Thanks!

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1582767/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp