I looked a bit around and found another apparmor change which I think will open up a reasonable SRU for ntp on apparmor. And while we do it anyway we can also add this rule.
So this now depends on bug 1749389 completing in Bionic and then can be made one SRU together. ** Changed in: ntp (Ubuntu Xenial) Status: New => Triaged ** Changed in: ntp (Ubuntu Artful) Status: New => Triaged ** Changed in: ntp (Ubuntu Xenial) Importance: Undecided => Low ** Changed in: ntp (Ubuntu Artful) Importance: Undecided => Low -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ntp in Ubuntu. https://bugs.launchpad.net/bugs/1741227 Title: apparmor denial to several paths to binaries Status in ntp package in Ubuntu: Fix Released Status in ntp source package in Xenial: Triaged Status in ntp source package in Artful: Triaged Bug description: [Impact] * Apparmor denies access to bin directories which the option parsing code of ntp touches. [Test Case] 1. get a container of target release 2. install ntp apt install ntp 3. watch dmesg on container-host dmesg -w 4. restart ntp in container systemctl restart ntp => see (or no more after fix) apparmor denie: apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd" name="/usr/local/sbin/" pid=23933 comm="ntpd" requested_mask="r" denied_mask="r" apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd" name="/usr/local/bin/" pid=23933 comm="ntpd" requested_mask="r" denied_mask="r" [Regression Potential] * we are only slightly opening up the apparmor profile, but none of the changes poses a security risk so regression potential on it's own should be close to zero. * we discussed if this would be a security risk but came to the conclusion that r-only should be ok (the same content anyone can grab from the archive by installing the packages) [Other Info] * n/a Issue shows up (non fatal) as: apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd" name="/usr/local/sbin/" pid=23933 comm="ntpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd" name="/usr/local/bin/" pid=23933 comm="ntpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Since non crit this is mostyl about many of us being curious why it actually does do it :-) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1741227/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp