Hello Martin, or anyone else affected, Accepted ntp into artful-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ntp/1:4.2.8p10+dfsg- 5ubuntu3.1 in a few hours, and then in the -proposed repository.
Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-artful to verification-done-artful. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-artful. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance! ** Changed in: ntp (Ubuntu Artful) Status: In Progress => Fix Committed ** Tags added: verification-needed verification-needed-artful -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ntp in Ubuntu. https://bugs.launchpad.net/bugs/1727202 Title: [17.10 regression] AppArmor denial: Failed name lookup - disconnected path Status in ntp package in Ubuntu: Fix Released Status in ntp source package in Artful: Fix Committed Status in ntp source package in Bionic: Fix Released Bug description: [Impact] * NTP has new isolation features which makes it trigger apparmor issues. * Those apparmor issues not only clutter the log and make other things less readable, they also prevent ntp from reporting its actual messages. * Fix is opening the apparmor profile to follow ntp through the disconnect by the isolation feature. [Test Case] * This is hard to trigger, but then also not. Which means it is not entirely sorted out when it triggers and when not, but the following does trigger it in tests of Pitti and also mine (while at the same time sometimes it does not - mabye I had other guests or kvm instead of lxd) * First install ntp in Artful (or above unless fixed) * Install ntp and check demsg for denies * Once an issue triggers instead of the error in syslog you'll see the apparmor Deny like: apparmor="DENIED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/ntpd" name="run/systemd/journal/dev-log" pid=5600 comm="ntpd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0 [Regression Potential] * We are slightly opening up the apparmor profile which is far lower risk than adding more constraints. So safe from that POV. * OTOH one could think this might be a security issue, but in fact this isn't a new suggestion if you take a look at [1] with an ack by Seth of the Security Team. [Other Info] * n/a [1]: https://lists.ubuntu.com/archives/apparmor/2015-May/007858.html ---- Merely installing and starting ntp.service in Ubuntu 17.10 now causes this AppArmor violation: audit: type=1400 audit(1508915894.215:25): apparmor="DENIED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/ntpd" name="run/systemd/journal/dev-log" pid=5600 comm="ntpd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0 (many times). This hasn't happened in earlier Ubuntu releases yet. This was spotted by Cockpit's integration tests, as our "ubuntu- stable" image now moved to 17.10 after its release. ProblemType: Bug DistroRelease: Ubuntu 17.10 Package: ntp 1:4.2.8p10+dfsg-5ubuntu3 ProcVersionSignature: Ubuntu 4.13.0-16.19-generic 4.13.4 Uname: Linux 4.13.0-16-generic x86_64 ApportVersion: 2.20.7-0ubuntu3 Architecture: amd64 Date: Wed Oct 25 03:19:34 2017 SourcePackage: ntp UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1727202/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
