Control: tags -1 patch confirmed pending
Hi Christian,
On Fri, Feb 23, 2018 at 12:15:54PM +0100, Christian Ehrhardt wrote:
Package: chrony
Version: 3.2-4
Severity: normal
Hi,
I happened to find in [1] that we need to add w to some apparmor rules
for local PPS devices.
TL;DR I enabled all devices as they are in man chrony.conf and got Denies like:
[ 5756.216096] audit: type=1400 audit(1519379582.153:21):
apparmor="DENIED" operation="open" profile="/usr/sbin/chronyd"
name="/dev/rtc0" pid=4216 comm="chronyd" requested_mask="w"
denied_mask="w" fsuid=0 ouid=0
I'd suggest the following for now:
ACK. The same logic is used in chronyd's SELinux policy, for example:
dev_rw_realtime_clock(chronyd_t)
optional_policy(`
ptp4l_rw_shm(chronyd_t)
')
---
--- chrony-3.2/debian/changelog 2018-02-20 18:27:10.0 +0100
+++ chrony-3.2/debian/changelog 2018-02-23 12:14:57.0 +0100
@@ -1,3 +1,10 @@
+chrony (3.2-5) unstable; urgency=medium
+
+ * debian/usr.sbin.chronyd: allow write access to rtc, pps and ptp devices
+as that is how chrony initializes them (LP: #1751241)
+
+ -- Christian Ehrhardt Fri, 23
Feb 2018 12:13:57 +0100
+
chrony (3.2-4) unstable; urgency=medium
* debian/changelog:
diff -Nru chrony-3.2/debian/usr.sbin.chronyd chrony-3.2/debian/usr.sbin.chronyd
--- chrony-3.2/debian/usr.sbin.chronyd 2018-02-08 19:20:27.0 +0100
+++ chrony-3.2/debian/usr.sbin.chronyd 2018-02-23 12:13:48.0 +0100
@@ -32,11 +32,11 @@
# rtc
/etc/adjtime r,
- /dev/rtc{,[0-9]*} r,
+ /dev/rtc{,[0-9]*} rw,
# gps devices
- /dev/pps[0-9]* r,
- /dev/ptp[0-9]* r,
+ /dev/pps[0-9]* rw,
+ /dev/ptp[0-9]* rw,
# For use with clocks that report via shared memory (e.g. gpsd),
# you may need to give ntpd access to all of shared memory, though
---
[1]: https://bugs.launchpad.net/ubuntu/+source/chrony/+bug/1751241
--
Christian Ehrhardt
Software Engineer, Ubuntu Server
Canonical Ltd
Cheers,
Vincent
signature.asc
Description: PGP signature