[Touch-packages] [Bug 1749389] Re: ntpdate lock apparmor deny
This bug was fixed in the package ntp - 1:4.2.8p10+dfsg-5ubuntu3.2 --- ntp (1:4.2.8p10+dfsg-5ubuntu3.2) artful; urgency=medium * d/apparmor-profile: avoid denies on argument checks (LP: #1741227) * d/apparmor-profile: fix denial checking for running ntpdate (LP: #1749389) -- Christian EhrhardtWed, 14 Feb 2018 13:14:24 +0100 ** Changed in: ntp (Ubuntu Artful) Status: Fix Committed => Fix Released ** Changed in: ntp (Ubuntu Xenial) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ntp in Ubuntu. https://bugs.launchpad.net/bugs/1749389 Title: ntpdate lock apparmor deny Status in ntp package in Ubuntu: Fix Released Status in ntp source package in Xenial: Fix Released Status in ntp source package in Artful: Fix Released Bug description: [Impact] * Apparmor denies access to lock it shares with ntpdate to ensure no issues due to concurrent access [Test Case] 1. get a container of target release 2. install ntp apt install ntp 3. watch dmesg on container-host dmesg -w 4. restart ntp in container systemctl restart ntp => see (or no more after fix) apparmor denie: apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/ntpd" name="/run/lock/ntpdate" pid=30113 comm="ntpd" requested_mask="w" denied_mask="w" Note: to not be mislead, on xenial there is a remaining stdout appamor issue which is bug 1670408 [Regression Potential] * we are only slightly opening up the apparmor profile, but none of the changes poses a security risk so regression potential on it's own should be close to zero. * There is a potential issue if the locking (that now can succeed) would e.g. no more be freed up or the action behind the locking would cause issues. [Other Info] * n/a On start/restart nto has an error in apparmor due to the locking it tries to avoid issues running concurrently with ntpdate. That looks like: apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/ntpd" name="/run/lock/ntpdate" pid=30113 comm="ntpd" requested_mask="w" denied_mask="w" The rule we need is: /run/lock/ntpdate wk, To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1749389/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1749389] Re: ntpdate lock apparmor deny
This bug was fixed in the package ntp - 1:4.2.8p4+dfsg-3ubuntu5.8 --- ntp (1:4.2.8p4+dfsg-3ubuntu5.8) xenial; urgency=medium * d/apparmor-profile: fix denial checking for running ntpdate (LP: #1749389) -- Christian EhrhardtWed, 14 Feb 2018 13:10:39 +0100 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ntp in Ubuntu. https://bugs.launchpad.net/bugs/1749389 Title: ntpdate lock apparmor deny Status in ntp package in Ubuntu: Fix Released Status in ntp source package in Xenial: Fix Released Status in ntp source package in Artful: Fix Released Bug description: [Impact] * Apparmor denies access to lock it shares with ntpdate to ensure no issues due to concurrent access [Test Case] 1. get a container of target release 2. install ntp apt install ntp 3. watch dmesg on container-host dmesg -w 4. restart ntp in container systemctl restart ntp => see (or no more after fix) apparmor denie: apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/ntpd" name="/run/lock/ntpdate" pid=30113 comm="ntpd" requested_mask="w" denied_mask="w" Note: to not be mislead, on xenial there is a remaining stdout appamor issue which is bug 1670408 [Regression Potential] * we are only slightly opening up the apparmor profile, but none of the changes poses a security risk so regression potential on it's own should be close to zero. * There is a potential issue if the locking (that now can succeed) would e.g. no more be freed up or the action behind the locking would cause issues. [Other Info] * n/a On start/restart nto has an error in apparmor due to the locking it tries to avoid issues running concurrently with ntpdate. That looks like: apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/ntpd" name="/run/lock/ntpdate" pid=30113 comm="ntpd" requested_mask="w" denied_mask="w" The rule we need is: /run/lock/ntpdate wk, To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1749389/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1749389] Re: ntpdate lock apparmor deny
Verification of proposed: xenial/artful as is on restart: [2020349.483870] audit: type=1400 audit(1518622585.386:4875): apparmor="DENIED" operation="file_inherit" namespace="root//lxd-xenial-test_" profile="/usr/sbin/ntpd" name="/run/lock/ntpdate" pid=16784 comm="ntpd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0 [2020342.768379] audit: type=1400 audit(1518622578.674:4870): apparmor="DENIED" operation="file_inherit" namespace="root//lxd-artful-test_" profile="/usr/sbin/ntpd" name="/run/lock/ntpdate" pid=16638 comm="ntpd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0 After upgrade from proposed: - 1:4.2.8p4+dfsg-3ubuntu5.8 - 1:4.2.8p10+dfsg-5ubuntu3.2 The messages above are gone - so verified ** Tags removed: verification-needed verification-needed-artful verification-needed-xenial ** Tags added: verification-done verification-done-artful verification-done-xenial -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ntp in Ubuntu. https://bugs.launchpad.net/bugs/1749389 Title: ntpdate lock apparmor deny Status in ntp package in Ubuntu: Fix Released Status in ntp source package in Xenial: Fix Committed Status in ntp source package in Artful: Fix Committed Bug description: [Impact] * Apparmor denies access to lock it shares with ntpdate to ensure no issues due to concurrent access [Test Case] 1. get a container of target release 2. install ntp apt install ntp 3. watch dmesg on container-host dmesg -w 4. restart ntp in container systemctl restart ntp => see (or no more after fix) apparmor denie: apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/ntpd" name="/run/lock/ntpdate" pid=30113 comm="ntpd" requested_mask="w" denied_mask="w" Note: to not be mislead, on xenial there is a remaining stdout appamor issue which is bug 1670408 [Regression Potential] * we are only slightly opening up the apparmor profile, but none of the changes poses a security risk so regression potential on it's own should be close to zero. * There is a potential issue if the locking (that now can succeed) would e.g. no more be freed up or the action behind the locking would cause issues. [Other Info] * n/a On start/restart nto has an error in apparmor due to the locking it tries to avoid issues running concurrently with ntpdate. That looks like: apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/ntpd" name="/run/lock/ntpdate" pid=30113 comm="ntpd" requested_mask="w" denied_mask="w" The rule we need is: /run/lock/ntpdate wk, To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1749389/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1749389] Re: ntpdate lock apparmor deny
Hello ChristianEhrhardt, or anyone else affected, Accepted ntp into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ntp/1:4.2.8p4+dfsg- 3ubuntu5.8 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance! ** Changed in: ntp (Ubuntu Xenial) Status: In Progress => Fix Committed ** Tags added: verification-needed verification-needed-xenial ** Changed in: ntp (Ubuntu Artful) Status: In Progress => Fix Committed ** Tags added: verification-needed-artful -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ntp in Ubuntu. https://bugs.launchpad.net/bugs/1749389 Title: ntpdate lock apparmor deny Status in ntp package in Ubuntu: Fix Released Status in ntp source package in Xenial: Fix Committed Status in ntp source package in Artful: Fix Committed Bug description: [Impact] * Apparmor denies access to lock it shares with ntpdate to ensure no issues due to concurrent access [Test Case] 1. get a container of target release 2. install ntp apt install ntp 3. watch dmesg on container-host dmesg -w 4. restart ntp in container systemctl restart ntp => see (or no more after fix) apparmor denie: apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/ntpd" name="/run/lock/ntpdate" pid=30113 comm="ntpd" requested_mask="w" denied_mask="w" Note: to not be mislead, on xenial there is a remaining stdout appamor issue which is bug 1670408 [Regression Potential] * we are only slightly opening up the apparmor profile, but none of the changes poses a security risk so regression potential on it's own should be close to zero. * There is a potential issue if the locking (that now can succeed) would e.g. no more be freed up or the action behind the locking would cause issues. [Other Info] * n/a On start/restart nto has an error in apparmor due to the locking it tries to avoid issues running concurrently with ntpdate. That looks like: apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/ntpd" name="/run/lock/ntpdate" pid=30113 comm="ntpd" requested_mask="w" denied_mask="w" The rule we need is: /run/lock/ntpdate wk, To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1749389/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1749389] Re: ntpdate lock apparmor deny
fix in SRU queue (Atrful/Xenial) for review by the SRU Team -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ntp in Ubuntu. https://bugs.launchpad.net/bugs/1749389 Title: ntpdate lock apparmor deny Status in ntp package in Ubuntu: Fix Released Status in ntp source package in Xenial: Fix Committed Status in ntp source package in Artful: Fix Committed Bug description: [Impact] * Apparmor denies access to lock it shares with ntpdate to ensure no issues due to concurrent access [Test Case] 1. get a container of target release 2. install ntp apt install ntp 3. watch dmesg on container-host dmesg -w 4. restart ntp in container systemctl restart ntp => see (or no more after fix) apparmor denie: apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/ntpd" name="/run/lock/ntpdate" pid=30113 comm="ntpd" requested_mask="w" denied_mask="w" Note: to not be mislead, on xenial there is a remaining stdout appamor issue which is bug 1670408 [Regression Potential] * we are only slightly opening up the apparmor profile, but none of the changes poses a security risk so regression potential on it's own should be close to zero. * There is a potential issue if the locking (that now can succeed) would e.g. no more be freed up or the action behind the locking would cause issues. [Other Info] * n/a On start/restart nto has an error in apparmor due to the locking it tries to avoid issues running concurrently with ntpdate. That looks like: apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/ntpd" name="/run/lock/ntpdate" pid=30113 comm="ntpd" requested_mask="w" denied_mask="w" The rule we need is: /run/lock/ntpdate wk, To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1749389/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1749389] Re: ntpdate lock apparmor deny
Bionic - ok SRU Template - ok Debdiff for X/T checked - ok Tested X/A upload from ppa - ok. I Identified another issue in the log as bug 1670408 which needs a fix in apparmor - not ntp. That means this is ok to be uploaded (not gated by that finding). ** Description changed: [Impact] - * Apparmor denies access to lock it shares with ntpdate to ensure no -issues due to concurrent access + * Apparmor denies access to lock it shares with ntpdate to ensure no + issues due to concurrent access [Test Case] - 1. get a container of target release - 2. install ntp - apt install ntp - 3. watch dmesg on container-host - dmesg -w - 4. restart ntp in container - systemctl restart ntp - => see (or no more after fix) apparmor denie: - apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/ntpd" name="/run/lock/ntpdate" pid=30113 comm="ntpd" requested_mask="w" denied_mask="w" + 1. get a container of target release + 2. install ntp + apt install ntp + 3. watch dmesg on container-host + dmesg -w + 4. restart ntp in container + systemctl restart ntp + => see (or no more after fix) apparmor denie: + apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/ntpd" name="/run/lock/ntpdate" pid=30113 comm="ntpd" requested_mask="w" denied_mask="w" + Note: to not be mislead, on xenial there is a remaining stdout appamor + issue which is bug 1670408 [Regression Potential] - * we are only slightly opening up the apparmor profile, but none of the -changes poses a security risk so regression potential on it's own -should be close to zero. + * we are only slightly opening up the apparmor profile, but none of the + changes poses a security risk so regression potential on it's own + should be close to zero. - * There is a potential issue if the locking (that now can succeed) would -e.g. no more be freed up or the action behind the locking would cause -issues. + * There is a potential issue if the locking (that now can succeed) would + e.g. no more be freed up or the action behind the locking would cause + issues. [Other Info] - - * n/a + * n/a - On start/restart nto has an error in apparmor due to the locking it tries to avoid issues running concurrently with ntpdate. + On start/restart nto has an error in apparmor due to the locking it + tries to avoid issues running concurrently with ntpdate. That looks like: apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/ntpd" name="/run/lock/ntpdate" pid=30113 comm="ntpd" requested_mask="w" denied_mask="w" The rule we need is: /run/lock/ntpdate wk, ** Changed in: ntp (Ubuntu Xenial) Status: Triaged => In Progress ** Changed in: ntp (Ubuntu Artful) Status: Triaged => In Progress -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ntp in Ubuntu. https://bugs.launchpad.net/bugs/1749389 Title: ntpdate lock apparmor deny Status in ntp package in Ubuntu: Fix Released Status in ntp source package in Xenial: Fix Committed Status in ntp source package in Artful: Fix Committed Bug description: [Impact] * Apparmor denies access to lock it shares with ntpdate to ensure no issues due to concurrent access [Test Case] 1. get a container of target release 2. install ntp apt install ntp 3. watch dmesg on container-host dmesg -w 4. restart ntp in container systemctl restart ntp => see (or no more after fix) apparmor denie: apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/ntpd" name="/run/lock/ntpdate" pid=30113 comm="ntpd" requested_mask="w" denied_mask="w" Note: to not be mislead, on xenial there is a remaining stdout appamor issue which is bug 1670408 [Regression Potential] * we are only slightly opening up the apparmor profile, but none of the changes poses a security risk so regression potential on it's own should be close to zero. * There is a potential issue if the locking (that now can succeed) would e.g. no more be freed up or the action behind the locking would cause issues. [Other Info] * n/a On start/restart nto has an error in apparmor due to the locking it tries to avoid issues running concurrently with ntpdate. That looks like: apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/ntpd" name="/run/lock/ntpdate" pid=30113 comm="ntpd" requested_mask="w" denied_mask="w" The rule we need is: /run/lock/ntpdate wk, To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1749389/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1749389] Re: ntpdate lock apparmor deny
Missed the right format in changelog :-/, but this is fixed in Bionic by https://launchpad.net/ubuntu/+source/ntp/1:4.2.8p10+dfsg-5ubuntu7 ** Changed in: ntp (Ubuntu) Status: Triaged => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ntp in Ubuntu. https://bugs.launchpad.net/bugs/1749389 Title: ntpdate lock apparmor deny Status in ntp package in Ubuntu: Fix Released Status in ntp source package in Xenial: Triaged Status in ntp source package in Artful: Triaged Bug description: [Impact] * Apparmor denies access to lock it shares with ntpdate to ensure no issues due to concurrent access [Test Case] 1. get a container of target release 2. install ntp apt install ntp 3. watch dmesg on container-host dmesg -w 4. restart ntp in container systemctl restart ntp => see (or no more after fix) apparmor denie: apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/ntpd" name="/run/lock/ntpdate" pid=30113 comm="ntpd" requested_mask="w" denied_mask="w" [Regression Potential] * we are only slightly opening up the apparmor profile, but none of the changes poses a security risk so regression potential on it's own should be close to zero. * There is a potential issue if the locking (that now can succeed) would e.g. no more be freed up or the action behind the locking would cause issues. [Other Info] * n/a On start/restart nto has an error in apparmor due to the locking it tries to avoid issues running concurrently with ntpdate. That looks like: apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/ntpd" name="/run/lock/ntpdate" pid=30113 comm="ntpd" requested_mask="w" denied_mask="w" The rule we need is: /run/lock/ntpdate wk, To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1749389/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1749389] Re: ntpdate lock apparmor deny
auto profile replace on upgrade - ok restart without apparmor issues - ok -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ntp in Ubuntu. https://bugs.launchpad.net/bugs/1749389 Title: ntpdate lock apparmor deny Status in ntp package in Ubuntu: Triaged Status in ntp source package in Xenial: Triaged Status in ntp source package in Artful: Triaged Bug description: [Impact] * Apparmor denies access to lock it shares with ntpdate to ensure no issues due to concurrent access [Test Case] 1. get a container of target release 2. install ntp apt install ntp 3. watch dmesg on container-host dmesg -w 4. restart ntp in container systemctl restart ntp => see (or no more after fix) apparmor denie: apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/ntpd" name="/run/lock/ntpdate" pid=30113 comm="ntpd" requested_mask="w" denied_mask="w" [Regression Potential] * we are only slightly opening up the apparmor profile, but none of the changes poses a security risk so regression potential on it's own should be close to zero. * There is a potential issue if the locking (that now can succeed) would e.g. no more be freed up or the action behind the locking would cause issues. [Other Info] * n/a On start/restart nto has an error in apparmor due to the locking it tries to avoid issues running concurrently with ntpdate. That looks like: apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/ntpd" name="/run/lock/ntpdate" pid=30113 comm="ntpd" requested_mask="w" denied_mask="w" The rule we need is: /run/lock/ntpdate wk, To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1749389/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1749389] Re: ntpdate lock apparmor deny
Fix is trivial, but you never know - tetsing the bionic change in https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/3144 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ntp in Ubuntu. https://bugs.launchpad.net/bugs/1749389 Title: ntpdate lock apparmor deny Status in ntp package in Ubuntu: Triaged Status in ntp source package in Xenial: Triaged Status in ntp source package in Artful: Triaged Bug description: [Impact] * Apparmor denies access to lock it shares with ntpdate to ensure no issues due to concurrent access [Test Case] 1. get a container of target release 2. install ntp apt install ntp 3. watch dmesg on container-host dmesg -w 4. restart ntp in container systemctl restart ntp => see (or no more after fix) apparmor denie: apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/ntpd" name="/run/lock/ntpdate" pid=30113 comm="ntpd" requested_mask="w" denied_mask="w" [Regression Potential] * we are only slightly opening up the apparmor profile, but none of the changes poses a security risk so regression potential on it's own should be close to zero. * There is a potential issue if the locking (that now can succeed) would e.g. no more be freed up or the action behind the locking would cause issues. [Other Info] * n/a On start/restart nto has an error in apparmor due to the locking it tries to avoid issues running concurrently with ntpdate. That looks like: apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/ntpd" name="/run/lock/ntpdate" pid=30113 comm="ntpd" requested_mask="w" denied_mask="w" The rule we need is: /run/lock/ntpdate wk, To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1749389/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1749389] Re: ntpdate lock apparmor deny
Note: When we open up a SRU for ntp apparmor we should include the minot (bot on its own not SRu worthy) fix of bug 1741227 ** Description changed: - On start/restart nto has an error in apparmor due to the locking it - tries to avoid issues running concurrently with ntpdate. + [Impact] + + * Apparmor denies access to lock it shares with ntpdate to ensure no +issues due to concurrent access + + [Test Case] + + 1. get a container of target release + 2. install ntp + apt install ntp + 3. watch dmesg on container-host + dmesg -w + 4. restart ntp in container + systemctl restart ntp + => see (or no more after fix) apparmor denie: + apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/ntpd" name="/run/lock/ntpdate" pid=30113 comm="ntpd" requested_mask="w" denied_mask="w" + + [Regression Potential] + + * we are only slightly opening up the apparmor profile, but none of the +changes poses a security risk so regression potential on it's own +should be close to zero. + + * There is a potential issue if the locking (that now can succeed) would +e.g. no more be freed up or the action behind the locking would cause +issues. + + [Other Info] + + * n/a + + + On start/restart nto has an error in apparmor due to the locking it tries to avoid issues running concurrently with ntpdate. That looks like: apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/ntpd" name="/run/lock/ntpdate" pid=30113 comm="ntpd" requested_mask="w" denied_mask="w" The rule we need is: /run/lock/ntpdate wk, -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ntp in Ubuntu. https://bugs.launchpad.net/bugs/1749389 Title: ntpdate lock apparmor deny Status in ntp package in Ubuntu: Triaged Status in ntp source package in Xenial: Triaged Status in ntp source package in Artful: Triaged Bug description: [Impact] * Apparmor denies access to lock it shares with ntpdate to ensure no issues due to concurrent access [Test Case] 1. get a container of target release 2. install ntp apt install ntp 3. watch dmesg on container-host dmesg -w 4. restart ntp in container systemctl restart ntp => see (or no more after fix) apparmor denie: apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/ntpd" name="/run/lock/ntpdate" pid=30113 comm="ntpd" requested_mask="w" denied_mask="w" [Regression Potential] * we are only slightly opening up the apparmor profile, but none of the changes poses a security risk so regression potential on it's own should be close to zero. * There is a potential issue if the locking (that now can succeed) would e.g. no more be freed up or the action behind the locking would cause issues. [Other Info] * n/a On start/restart nto has an error in apparmor due to the locking it tries to avoid issues running concurrently with ntpdate. That looks like: apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/ntpd" name="/run/lock/ntpdate" pid=30113 comm="ntpd" requested_mask="w" denied_mask="w" The rule we need is: /run/lock/ntpdate wk, To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1749389/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp