This bug was fixed in the package ntp - 1:4.2.8p10+dfsg-5ubuntu3.2 --------------- ntp (1:4.2.8p10+dfsg-5ubuntu3.2) artful; urgency=medium
* d/apparmor-profile: avoid denies on argument checks (LP: #1741227) * d/apparmor-profile: fix denial checking for running ntpdate (LP: #1749389) -- Christian Ehrhardt <christian.ehrha...@canonical.com> Wed, 14 Feb 2018 13:14:24 +0100 ** Changed in: ntp (Ubuntu Artful) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ntp in Ubuntu. https://bugs.launchpad.net/bugs/1741227 Title: apparmor denial to several paths to binaries Status in ntp package in Ubuntu: Fix Released Status in ntp source package in Artful: Fix Released Bug description: [Impact] * Apparmor denies access to bin directories which the option parsing code of ntp touches. [Test Case] 1. get a container of target release 2. install ntp apt install ntp 3. watch dmesg on container-host dmesg -w 4. restart ntp in container systemctl restart ntp => see (or no more after fix) apparmor denie: apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd" name="/usr/local/sbin/" pid=23933 comm="ntpd" requested_mask="r" denied_mask="r" apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd" name="/usr/local/bin/" pid=23933 comm="ntpd" requested_mask="r" denied_mask="r" [Regression Potential] * we are only slightly opening up the apparmor profile, but none of the changes poses a security risk so regression potential on it's own should be close to zero. * we discussed if this would be a security risk but came to the conclusion that r-only should be ok (the same content anyone can grab from the archive by installing the packages) [Other Info] * n/a Issue shows up (non fatal) as: apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd" name="/usr/local/sbin/" pid=23933 comm="ntpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd" name="/usr/local/bin/" pid=23933 comm="ntpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Since non crit this is mostyl about many of us being curious why it actually does do it :-) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1741227/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp