Verification of Proposed:
[2020342.769272] audit: type=1400 audit(1518622578.674:4871): apparmor="DENIED" 
operation="open" namespace="root//lxd-artful-test_<var-snap-lxd-common-lxd>" 
profile="/usr/sbin/ntpd" name="/usr/local/sbin/" pid=16638 comm="ntpd" 
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[2020342.769282] audit: type=1400 audit(1518622578.674:4872): apparmor="DENIED" 
operation="open" namespace="root//lxd-artful-test_<var-snap-lxd-common-lxd>" 
profile="/usr/sbin/ntpd" name="/usr/local/bin/" pid=16638 comm="ntpd" 
requested_mask="r" denied_mask="r" fsuid=0 ouid=0


After upgrade from proposed:
- 1:4.2.8p10+dfsg-5ubuntu3.2

The messages above are gone - so verified

** Tags removed: verification-needed verification-needed-artful
** Tags added: verification-done verification-done-artful

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ntp in Ubuntu.
https://bugs.launchpad.net/bugs/1741227

Title:
  apparmor denial to several paths to binaries

Status in ntp package in Ubuntu:
  Fix Released
Status in ntp source package in Artful:
  Fix Committed

Bug description:
  [Impact]

   * Apparmor denies access to bin directories which the option parsing code 
     of ntp touches.

  [Test Case]

   1. get a container of target release
   2. install ntp
      apt install ntp
   3. watch dmesg on container-host
      dmesg -w
   4. restart ntp in container
      systemctl restart ntp
   => see (or no more after fix) apparmor denie:
   apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd" 
name="/usr/local/sbin/" pid=23933 comm="ntpd" requested_mask="r" denied_mask="r"
   apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd" 
name="/usr/local/bin/" pid=23933 comm="ntpd" requested_mask="r" denied_mask="r"

  [Regression Potential]

   * we are only slightly opening up the apparmor profile, but none of the
     changes poses a security risk so regression potential on it's own
     should be close to zero.

   * we discussed if this would be a security risk but came to the 
     conclusion that r-only should be ok (the same content anyone can grab 
     from the archive by installing the packages)

  [Other Info]

   * n/a

  Issue shows up (non fatal) as:
   apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd" 
name="/usr/local/sbin/" pid=23933 comm="ntpd" requested_mask="r" 
denied_mask="r" fsuid=0 ouid=0
   apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd" 
name="/usr/local/bin/" pid=23933 comm="ntpd" requested_mask="r" denied_mask="r" 
fsuid=0 ouid=0

  Since non crit this is mostyl about many of us being curious why it
  actually does do it :-)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1741227/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to