[Bug 1727202] Re: [17.10 regression] AppArmor ntp denial: Failed name lookup - disconnected path

[Gregory P Smith]

I just diagnosed that openntpd on my 18.04.2 server to be broken
(failing to run, the process died after the apparmor denials, no time
adjustments ever happening) until I manually applied the changes
mentioned in #34.

Neither flags=(attach_disconnected) or "/run/systemd/journal/dev-log w,"
had been present in my apparmor.d/usr.sbin.ntpd config file.  package
version 1:6.2p3-1 installed.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1727202

Title:
  [17.10 regression] AppArmor ntp denial: Failed name lookup -
  disconnected path

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1727202/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1727202] Re: [17.10 regression] AppArmor ntp denial: Failed name lookup - disconnected path

[Gregory P Smith]

(Sadly the bug tracker won't let me change the status from "Won't Fix"
to "Confirmed")

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1727202

Title:
  [17.10 regression] AppArmor ntp denial: Failed name lookup -
  disconnected path

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1727202/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1727202] Re: [17.10 regression] AppArmor ntp denial: Failed name lookup - disconnected path

[Christian Ehrhardt ]

With chrony taking over for ntpd and the usage of openntpd dropping next to 
none this really became less and less important over time. It is fixed in ntpd 
and not affecting chrony.
For openntp it seems to be an issue but we wait for a reply to comment #34 as 
far as I read through the updates.
Updating tasks to reflect that.

** Changed in: openntpd (Ubuntu)
   Status: Confirmed => Incomplete

** Changed in: openntpd (Ubuntu Bionic)
   Status: Confirmed => Won't Fix

** Changed in: openntpd (Ubuntu)
   Importance: Undecided => Low

** Tags removed: server-next

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1727202

Title:
  [17.10 regression] AppArmor ntp denial: Failed name lookup -
  disconnected path

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1727202/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1727202] Re: [17.10 regression] AppArmor ntp denial: Failed name lookup - disconnected path

[Mathew Hodson]

** No longer affects: ntp (Ubuntu Xenial)

** No longer affects: ntp (Ubuntu Zesty)

** No longer affects: openntpd (Ubuntu Xenial)

** No longer affects: openntpd (Ubuntu Zesty)

** Changed in: openntpd (Ubuntu Artful)
   Status: Confirmed => Won't Fix

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1727202

Title:
  [17.10 regression] AppArmor ntp denial: Failed name lookup -
  disconnected path

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1727202/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1727202] Re: [17.10 regression] AppArmor ntp denial: Failed name lookup - disconnected path

[Launchpad Bug Tracker]

Status changed to 'Confirmed' because the bug affects multiple users.

** Changed in: openntpd (Ubuntu Artful)
   Status: New => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1727202

Title:
  [17.10 regression] AppArmor ntp denial: Failed name lookup -
  disconnected path

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1727202/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1727202] Re: [17.10 regression] AppArmor ntp denial: Failed name lookup - disconnected path

[Launchpad Bug Tracker]

Status changed to 'Confirmed' because the bug affects multiple users.

** Changed in: openntpd (Ubuntu Zesty)
   Status: New => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1727202

Title:
  [17.10 regression] AppArmor ntp denial: Failed name lookup -
  disconnected path

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1727202/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1727202] Re: [17.10 regression] AppArmor ntp denial: Failed name lookup - disconnected path

[Launchpad Bug Tracker]

Status changed to 'Confirmed' because the bug affects multiple users.

** Changed in: openntpd (Ubuntu Xenial)
   Status: New => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1727202

Title:
  [17.10 regression] AppArmor ntp denial: Failed name lookup -
  disconnected path

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1727202/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1727202] Re: [17.10 regression] AppArmor ntp denial: Failed name lookup - disconnected path

[Launchpad Bug Tracker]

Status changed to 'Confirmed' because the bug affects multiple users.

** Changed in: openntpd (Ubuntu Bionic)
   Status: New => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1727202

Title:
  [17.10 regression] AppArmor ntp denial: Failed name lookup -
  disconnected path

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1727202/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1727202] Re: [17.10 regression] AppArmor ntp denial: Failed name lookup - disconnected path

[Launchpad Bug Tracker]

Status changed to 'Confirmed' because the bug affects multiple users.

** Changed in: openntpd (Ubuntu)
   Status: New => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1727202

Title:
  [17.10 regression] AppArmor ntp denial: Failed name lookup -
  disconnected path

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1727202/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1727202] Re: [17.10 regression] AppArmor ntp denial: Failed name lookup - disconnected path

[Andreas Hasenack]

Right, the disconnected flag is in the openntpd (usr.sbin.ntpd) profile,
but not the journal one:

/run/systemd/journal/dev-log w,

What triggers the journal DENIED error? I see it was in the same DENIED
message then had the "disconnected" complaint, but I can't trigger it
(as the bug said in the beginning, the error might not happen all the
time).

-- 
You received this bug notification because you are a member of Ubuntu
Server, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1727202

Title:
  [17.10 regression] AppArmor ntp denial: Failed name lookup -
  disconnected path

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1727202/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 1727202] Re: [17.10 regression] AppArmor ntp denial: Failed name lookup - disconnected path

[Andreas Hasenack]

Right, the disconnected flag is in the openntpd (usr.sbin.ntpd) profile,
but not the journal one:

/run/systemd/journal/dev-log w,

What triggers the journal DENIED error? I see it was in the same DENIED
message then had the "disconnected" complaint, but I can't trigger it
(as the bug said in the beginning, the error might not happen all the
time).

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1727202

Title:
  [17.10 regression] AppArmor ntp denial: Failed name lookup -
  disconnected path

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1727202/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Re: [Bug 1727202] Re: [17.10 regression] AppArmor ntp denial: Failed name lookup - disconnected path

[Seth Arnold]

On Tue, Nov 27, 2018 at 01:22:10AM -, Robert Dinse wrote:
> I have since upgraded to 18.10 and I don't even see an apparmor profile 
> for ntp anymore.

That's curious. This is in the source package:

# vim:syntax=apparmor
#include 

/usr/sbin/ntpd flags=(attach_disconnected) {
  #include 
  #include 

  # conf
  /etc/openntpd/ntpd.conf r,

  # capabilities
  capability kill,
  capability sys_chroot,
  capability setgid,
  capability setuid,
  capability sys_time,
  capability sys_nice,

  /usr/sbin/ntpd mrix,
  /var/lib/openntpd/db/ntpd.drift rw,
  /var/lib/openntpd/run/ntpd.sock rw,

}

It looks like half the change has already been integrated, but not the
systemd-journald socket.

> -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
>   Eskimo North Linux Friendly Internet Access, Shell Accounts, and Hosting.
> Knowledgeable human assistance, not telephone trees or script readers.
>   See our web site: http://www.eskimo.com/ (206) 812-0051 or (800) 246-6874.

Ah this takes me back. :) I learned a huge amount on irc.eskimo.com back
in the day. Belated by two decades, thanks!

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1727202

Title:
  [17.10 regression] AppArmor ntp denial: Failed name lookup -
  disconnected path

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1727202/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Re: [Bug 1727202] Re: [17.10 regression] AppArmor ntp denial: Failed name lookup - disconnected path

[Robert Dinse]

I have since upgraded to 18.10 and I don't even see an apparmor profile 
for ntp anymore.

-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
  Eskimo North Linux Friendly Internet Access, Shell Accounts, and Hosting.
Knowledgeable human assistance, not telephone trees or script readers.
  See our web site: http://www.eskimo.com/ (206) 812-0051 or (800) 246-6874.

On Tue, 27 Nov 2018, Seth Arnold wrote:

> Date: Tue, 27 Nov 2018 01:07:37 -
> From: Seth Arnold <1727...@bugs.launchpad.net>
> To: nan...@eskimo.com
> Subject: [Bug 1727202] Re: [17.10 regression] AppArmor ntp denial: Failed name
>  lookup - disconnected path
> 
> Andrew, you could try adding:
>
> flags=(attach_disconnected)
>
> to the profile attachment line:
>
> /usr/sbin/ntpd flags=(attach_disconnected) {
>
> And add:
>
> /run/systemd/journal/dev-log w,
>
> to the profile, then run:
>
> apparmor_parser --replace /etc/apparmor.d/usr.sbin.ntpd  # or whatever
> the filename is
>
> See if that lets you get useful logs, any new messages in dmesg or
> auditd logs, etc.
>
> Thanks
>
> ** Also affects: openntpd (Ubuntu)
>   Importance: Undecided
>   Status: New
>
> -- 
> You received this bug notification because you are subscribed to a
> duplicate bug report (1739943).
> https://bugs.launchpad.net/bugs/1727202
>
> Title:
>  [17.10 regression] AppArmor ntp denial: Failed name lookup -
>  disconnected path
>
> Status in ntp package in Ubuntu:
>  Fix Released
> Status in openntpd package in Ubuntu:
>  New
> Status in ntp source package in Xenial:
>  Invalid
> Status in openntpd source package in Xenial:
>  New
> Status in ntp source package in Zesty:
>  Invalid
> Status in openntpd source package in Zesty:
>  New
> Status in ntp source package in Artful:
>  Fix Released
> Status in openntpd source package in Artful:
>  New
> Status in ntp source package in Bionic:
>  Fix Released
> Status in openntpd source package in Bionic:
>  New
>
> Bug description:
>  [Impact]
>
>   * NTP has new isolation features which makes it trigger apparmor issues.
>   * Those apparmor issues not only clutter the log and make other things
>     less readable, they also prevent ntp from reporting its actual
>     messages.
>   * Fix is opening the apparmor profile to follow ntp through the
>     disconnect by the isolation feature.
>
>  [Test Case]
>
>   * This is hard to trigger, but then also not. Which means it is not
>     entirely sorted out when it triggers and when not, but the following
>     does trigger it in tests of Pitti and also mine (while at the same time
>     sometimes it does not - mabye I had other guests or kvm instead of lxd)
>
>   * First install ntp in Artful (or above unless fixed)
>     * Install ntp and check demsg for denies
>     * Once an issue triggers instead of the error in syslog you'll see the
>   apparmor Deny like:
>     apparmor="DENIED" operation="sendmsg" info="Failed name lookup -
>     disconnected path" error=-13 profile="/usr/sbin/ntpd"
>     name="run/systemd/journal/dev-log" pid=5600 comm="ntpd"
>     requested_mask="w" denied_mask="w" fsuid=0 ouid=0
>
>  [Regression Potential]
>
>   * We are slightly opening up the apparmor profile which is far lower risk
>     than adding more constraints. So safe from that POV.
>
>   * OTOH one could think this might be a security issue, but in fact this
>     isn't a new suggestion if you take a look at [1] with an ack by Seth of
>     the Security Team.
>
>  [Other Info]
>
>   * n/a
>
>  [1]: https://lists.ubuntu.com/archives/apparmor/2015-May/007858.html
>
>  
>
>  Merely installing and starting ntp.service in Ubuntu 17.10 now causes
>  this AppArmor violation:
>
>  audit: type=1400 audit(1508915894.215:25): apparmor="DENIED"
>  operation="sendmsg" info="Failed name lookup - disconnected path"
>  error=-13 profile="/usr/sbin/ntpd" name="run/systemd/journal/dev-log"
>  pid=5600 comm="ntpd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
>
>  (many times). This hasn't happened in earlier Ubuntu releases yet.
>
>  This was spotted by Cockpit's integration tests, as our "ubuntu-
>  stable" image now moved to 17.10 after its release.
>
>  ProblemType: Bug
>  DistroRelease: Ubuntu 17.10
>  Package: ntp 1:4.2.8p10+dfsg-5ubuntu3
>  ProcVersionSignature: Ubuntu 4.13.0-16.19-generic 4.13.4
>  Uname: Linux 4.13.0-16-generic x86_64
>  ApportVersion: 2.20.7-0ubuntu3
>  Architecture: 

[Bug 1727202] Re: [17.10 regression] AppArmor ntp denial: Failed name lookup - disconnected path

[Seth Arnold]

Andrew, you could try adding:

flags=(attach_disconnected)

to the profile attachment line:

/usr/sbin/ntpd flags=(attach_disconnected) {

And add:

/run/systemd/journal/dev-log w,

to the profile, then run:

apparmor_parser --replace /etc/apparmor.d/usr.sbin.ntpd  # or whatever
the filename is

See if that lets you get useful logs, any new messages in dmesg or
auditd logs, etc.

Thanks

** Also affects: openntpd (Ubuntu)
   Importance: Undecided
   Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1727202

Title:
  [17.10 regression] AppArmor ntp denial: Failed name lookup -
  disconnected path

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1727202/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1727202] Re: [17.10 regression] AppArmor ntp denial: Failed name lookup - disconnected path

[Andrew Keynes]

Note that this also appears to affect openntpd in the same fashion, see
following for log excerpt of a fresh 18.04 install with the latest
openntpd installation:

Nov 23 13:27:34 gbjcdc01 kernel: [1542242.548426] audit: type=1400
audit(1542941854.500:97): apparmor="DENIED" operation="sendmsg"
info="Failed name lookup - disconnected path" error=-13
profile="/usr/sbin/ntpd" name="run/systemd/journal/dev-log" pid=5693
comm="ntpd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1727202

Title:
  [17.10 regression] AppArmor ntp denial: Failed name lookup -
  disconnected path

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1727202/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1727202] Re: [17.10 regression] AppArmor ntp denial: Failed name lookup - disconnected path

[ChristianEhrhardt]

@Tim - Could you check the ntp apparmor profile if it has the change that was 
made in 1:4.2.8p10+dfsg-5ubuntu4 ?
It is a conffile so if depending on your former changes it might have been not 
updated by default.

Essentially if /etc/apparmor.d/usr.sbin.ntpd has
flags=(attach_disconnected) ?

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1727202

Title:
  [17.10 regression] AppArmor ntp denial: Failed name lookup -
  disconnected path

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1727202/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1727202] Re: [17.10 regression] AppArmor ntp denial: Failed name lookup - disconnected path

[Tim Ritberg]

Problem still present in 18.04

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1727202

Title:
  [17.10 regression] AppArmor ntp denial: Failed name lookup -
  disconnected path

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1727202/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1727202] Re: [17.10 regression] AppArmor ntp denial: Failed name lookup - disconnected path

[Martin Pitt]

The most plausible explanation for enumerating /usr/local/bin/ is that
ntpd has some hooks.d/ mechanism which gets called after syncing the
time, and that runs a shell in between. So IMHO this should be allowed.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1727202

Title:
  [17.10 regression] AppArmor ntp denial: Failed name lookup -
  disconnected path

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1727202/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1727202] Re: [17.10 regression] AppArmor ntp denial: Failed name lookup - disconnected path

[ChristianEhrhardt]

FYI - The curiosity of the /usr/local denials will be checked in bug
1741227

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1727202

Title:
  [17.10 regression] AppArmor ntp denial: Failed name lookup -
  disconnected path

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1727202/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1727202] Re: [17.10 regression] AppArmor ntp denial: Failed name lookup - disconnected path

[Launchpad Bug Tracker]

This bug was fixed in the package ntp - 1:4.2.8p10+dfsg-5ubuntu3.1

---
ntp (1:4.2.8p10+dfsg-5ubuntu3.1) artful; urgency=medium

  * debian/apparmor-profile: add attach_disconnected which is needed in some
cases to let ntp report its log messages (LP: #1727202).

 -- Christian Ehrhardt   Mon, 18 Dec
2017 13:19:36 +0100

** Changed in: ntp (Ubuntu Artful)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1727202

Title:
  [17.10 regression] AppArmor ntp denial: Failed name lookup -
  disconnected path

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1727202/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1727202] Re: [17.10 regression] AppArmor ntp denial: Failed name lookup - disconnected path

[ChristianEhrhardt]

Discussion lead a bit off of that, but yes it synced for me in a KVM
test.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1727202

Title:
  [17.10 regression] AppArmor ntp denial: Failed name lookup -
  disconnected path

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1727202/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1727202] Re: [17.10 regression] AppArmor ntp denial: Failed name lookup - disconnected path

[Robie Basak]

Has anyone actually checked that the new build of ntpd actually still
works, please (eg. can sync the time)? If not, please could somebody
check that?

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1727202

Title:
  [17.10 regression] AppArmor ntp denial: Failed name lookup -
  disconnected path

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1727202/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1727202] Re: [17.10 regression] AppArmor ntp denial: Failed name lookup - disconnected path

[ChristianEhrhardt]

Hi Seth, I never checked why it does so but it puzzled me as well, but
whatever it is, it is one of those issues that is a) not really critical
and b) tries to hide (I spawned X/A guests and containers, no more
triggering to take a look at the stack traces of the open - I'm sure it
will be back when I have no time to look at it :-) => Heisenbug)

But then again this denial is a different one to the one addressed in the bug 
here.
So if we - or others - want to continue the discussion on that one we should 
use another bug.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1727202

Title:
  [17.10 regression] AppArmor ntp denial: Failed name lookup -
  disconnected path

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1727202/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1727202] Re: [17.10 regression] AppArmor ntp denial: Failed name lookup - disconnected path

[ChristianEhrhardt]

Thanks Martin for verifying!

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1727202

Title:
  [17.10 regression] AppArmor ntp denial: Failed name lookup -
  disconnected path

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1727202/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1727202] Re: [17.10 regression] AppArmor ntp denial: Failed name lookup - disconnected path

[ChristianEhrhardt]

Note for comment #22 - I also had B KVM guests and containers now - but
it really hides from me today :-)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1727202

Title:
  [17.10 regression] AppArmor ntp denial: Failed name lookup -
  disconnected path

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1727202/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1727202] Re: [17.10 regression] AppArmor ntp denial: Failed name lookup - disconnected path

[Martin Pitt]

I locally ran Cockpit tests on our current Ubuntu 17.10 image and re-
confirm that I got the "disconnected path" error. I then upgraded the
ntp package to artful-proposed, and *that* violation is now gone. As
others already saw, I now get a test failure on

   apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd"
name="/usr/local/sbin/" pid=5938 comm="ntpd" requested_mask="r"
denied_mask="r" fsuid=0 ouid=0

But this is not a regression from this update, and unrelated. So this
SRU is good from my POV. Thanks!

** Tags removed: verification-needed-artful
** Tags added: verification-done-artful

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1727202

Title:
  [17.10 regression] AppArmor ntp denial: Failed name lookup -
  disconnected path

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1727202/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1727202] Re: [17.10 regression] AppArmor ntp denial: Failed name lookup - disconnected path

[Seth Arnold]

Why does ntpd try to enumerate the contents of /usr/local/bin/? This in
itself isn't so bad but it certainly is curious.

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1727202

Title:
  [17.10 regression] AppArmor ntp denial: Failed name lookup -
  disconnected path

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1727202/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1727202] Re: [17.10 regression] AppArmor ntp denial: Failed name lookup - disconnected path

[ChristianEhrhardt]

While I see the non-crit "other" issue with opening its own binary I can
not confirm the disconnected path issue in a current xenial guest.

Since we knew this appears when trigging the running service to emit an error 
message I tried to force such an error message. I knew on later releases I 
could do so by e.g. spawning another virtual interface to bind on by starting a 
KVM guest (ntp would try to bind on that but fails).
On Xenial I see the error messages without any apparmor related issue.

While I don't know what is different on bug 1475019 (maybe ntp was
manually namespaced on that setup) this bug here "as reported" is a
regression in 17.10.

** Changed in: ntp (Ubuntu Xenial)
   Status: New => Invalid

** Changed in: ntp (Ubuntu Zesty)
   Status: New => Invalid

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1727202

Title:
  [17.10 regression] AppArmor ntp denial: Failed name lookup -
  disconnected path

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1727202/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1727202] Re: [17.10 regression] AppArmor ntp denial: Failed name lookup - disconnected path

[ChristianEhrhardt]

At the same time, @Martin are you going to test this with Cockpit or
manually against (A-)proposed or should I do so?

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1727202

Title:
  [17.10 regression] AppArmor ntp denial: Failed name lookup -
  disconnected path

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1727202/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1727202] Re: [17.10 regression] AppArmor ntp denial: Failed name lookup - disconnected path

[ChristianEhrhardt]

Thanks Gordon for the extra info.

There are two things in this actually.
1. the disconnected path goes back more release than assumed
   I added tasks since Xenial on the bug here, but even if (for whatever 
reason) we would decide 
   not to push that to X/Z it would not affect the Artful SRu to be stalled 
once verified to work.

2. the open to its own binary on startup, yes I think I have seen those but 
this is
   a) a separate issue to be filed for it.
   b) so non severe that no one addressed it so far (might be a nice papercut 
bug [1])
   I'd assume it already exists as severity low/whishlist, then just the 
tagging has to be done.

[1]: https://wiki.ubuntu.com/One%20Hundred%20Papercuts

** Also affects: ntp (Ubuntu Zesty)
   Importance: Undecided
   Status: New

** Also affects: ntp (Ubuntu Xenial)
   Importance: Undecided
   Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1727202

Title:
  [17.10 regression] AppArmor ntp denial: Failed name lookup -
  disconnected path

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1727202/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1727202] Re: [17.10 regression] AppArmor ntp denial: Failed name lookup - disconnected path

[Gordon Lack]

This isn't a 17.10 regression - it's been happening for a few years,
e.g.:

https://bugs.launchpad.net/mos/+bug/1475019

And, FWIW, I added the flags=(attach_disconnected) to the config file
yesterday on one of my systems and whereas it does seem to have removed
the operation="sendmsg" reports, I still get this at boot time:

Dec 28 14:15:53 parent kernel: [   24.127330] audit: type=1400 
audit(1514470553.526:18): apparmor="DENIED" operation="open" 
profile="/usr/sbin/ntpd" name="/usr/local/sbin/" pid=1086 comm="ntpd" 
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Dec 28 14:15:53 parent kernel: [   24.127335] audit: type=1400 
audit(1514470553.527:19): apparmor="DENIED" operation="open" 
profile="/usr/sbin/ntpd" name="/usr/local/bin/" pid=1086 comm="ntpd" 
requested_mask="r" denied_mask="r" fsuid=0 ouid=0

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1727202

Title:
  [17.10 regression] AppArmor ntp denial: Failed name lookup -
  disconnected path

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1727202/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1727202] Re: [17.10 regression] AppArmor ntp denial: Failed name lookup - disconnected path

[Paul M]

** Summary changed:

- [17.10 regression] AppArmor denial: Failed name lookup - disconnected path
+ [17.10 regression] AppArmor ntp denial: Failed name lookup - disconnected path

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1727202

Title:
  [17.10 regression] AppArmor ntp denial: Failed name lookup -
  disconnected path

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1727202/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs