I am suffering from a similar issue, but with slightly different
behavior
<pre>
# journalctl -u ntp
Oct 11 10:23:29 lys-stats ntp[5670]: * Starting NTP server ntpd
Oct 11 10:23:29 lys-stats ntpd[5681]: ntpd [email protected] Wed Oct 5 12:34:45
UTC 2016 (1): Starting
Oct 11 10:23:29 lys-stats ntp[5670]: ...done.
Oct 11 10:23:29 lys-stats systemd[1]: Started LSB: Start NTP daemon.
Oct 11 10:23:29 lys-stats ntpd[5683]: proto: precision = 0.091 usec (-23)
Oct 11 10:23:29 lys-stats ntpd[5683]: restrict 0.0.0.0: KOD does nothing
without LIMITED.
Oct 11 10:23:29 lys-stats ntpd[5683]: restrict ::: KOD does nothing without
LIMITED.
Oct 11 10:23:29 lys-stats ntpd[5683]: Listen and drop on 0 v6wildcard [::]:123
Oct 11 10:23:29 lys-stats ntpd[5683]: Listen and drop on 1 v4wildcard
0.0.0.0:123
Oct 11 10:23:29 lys-stats ntpd[5683]: ./../lib/isc/unix/ifiter_getifaddrs.c:99:
unexpected error:
Oct 11 10:23:29 lys-stats ntpd[5683]: getting interface addresses: getifaddrs:
Permission denied
Oct 11 10:23:29 lys-stats ntpd[5683]: unable to open routing socket (Permission
denied) - using polled interface up
Oct 11 10:23:31 lys-stats ntpd[5683]: ./../lib/isc/unix/ifiter_getifaddrs.c:99:
unexpected error:
Oct 11 10:23:31 lys-stats ntpd[5683]: getting interface addresses: getifaddrs:
Permission denied
# dmesg -T
[Tue Oct 11 10:23:29 2016] audit: type=1400 audit(1476174209.696:24):
apparmor="DENIED" operation="create" profile="/usr/sbin/ntpd" pid=5683
comm="ntpd" family="netlink" sock_type="raw" protocol=0 requested_mask="create"
denied_mask="create"
[Tue Oct 11 10:23:29 2016] audit: type=1400 audit(1476174209.700:25):
apparmor="DENIED" operation="create" profile="/usr/sbin/ntpd" pid=5683
comm="ntpd" family="netlink" sock_type="raw" protocol=0 requested_mask="create"
denied_mask="create"
[Tue Oct 11 10:23:29 2016] audit: type=1400 audit(1476174209.700:26):
apparmor="DENIED" operation="create" profile="/usr/sbin/ntpd" pid=5683
comm="ntpd" family="netlink" sock_type="raw" protocol=0 requested_mask="create"
denied_mask="create"
[Tue Oct 11 10:23:31 2016] audit: type=1400 audit(1476174211.356:27):
apparmor="DENIED" operation="create" profile="/usr/sbin/ntpd" pid=5683
comm="ntpd" family="netlink" sock_type="raw" protocol=0 requested_mask="create"
denied_mask="create"
# apt-cache policy apparmor
apparmor:
Installed: 2.10.95-0ubuntu2.2
Candidate: 2.10.95-0ubuntu2.2
Version table:
*** 2.10.95-0ubuntu2.2 500
500 http://archive.ubuntu.com:80/ubuntu xenial-updates/main amd64
Packages
100 /var/lib/dpkg/status
2.10.95-0ubuntu2 500
500 http://archive.ubuntu.com:80/ubuntu xenial/main amd64 Packages
# apt-cache policy ntp
ntp:
Installed: 1:4.2.8p4+dfsg-3ubuntu5.3
Candidate: 1:4.2.8p4+dfsg-3ubuntu5.3
Version table:
*** 1:4.2.8p4+dfsg-3ubuntu5.3 500
500 http://archive.ubuntu.com:80/ubuntu xenial-updates/main amd64
Packages
500 http://security.ubuntu.com/ubuntu xenial-security/main amd64
Packages
100 /var/lib/dpkg/status
1:4.2.8p4+dfsg-3ubuntu5 500
500 http://archive.ubuntu.com:80/ubuntu xenial/main amd64 Packages
# cat /etc/ntp.conf
tinker panic 0
disable monitor
restrict -4 default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery
restrict 127.0.0.1
restrict ::1
server pool.ntp.org iburst
driftfile /var/lib/ntp/drift
# cat /etc/apparmor.d/usr.sbin.ntpd
# vim:syntax=apparmor
# Updated for Ubuntu by: Jamie Strandboge <[email protected]>
# ------------------------------------------------------------------
#
# Copyright (C) 2002-2005 Novell/SUSE
# Copyright (C) 2009-2012 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
#include <tunables/global>
#include <tunables/ntpd>
/usr/sbin/ntpd {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/user-tmp>
capability ipc_lock,
capability net_bind_service,
capability setgid,
capability setuid,
capability sys_chroot,
capability sys_resource,
capability sys_time,
capability sys_nice,
# ntp uses AF_INET, AF_INET6 and AF_UNSPEC
network dgram,
network stream,
@{PROC}/net/if_inet6 r,
@{PROC}/*/net/if_inet6 r,
@{NTPD_DEVICE} rw,
# pps devices are almost exclusively used with NTP
/dev/pps[0-9]* rw,
/{,s}bin/ r,
/usr/{,s}bin/ r,
/usr/sbin/ntpd rmix,
/etc/ntp.conf r,
/etc/ntp.conf.dhcp r,
/etc/ntpd.conf r,
/etc/ntpd.conf.tmp r,
/var/lib/ntp/ntp.conf.dhcp r,
/etc/ntp.keys r,
/etc/ntp/** r,
/etc/ntp.drift rwl,
/etc/ntp.drift.TEMP rwl,
/etc/ntp/drift* rwl,
/var/lib/ntp/*drift rw,
/var/lib/ntp/*drift.TEMP rw,
/var/log/ntp w,
/var/log/ntp.log w,
/var/log/ntpd w,
/var/log/ntpstats/clockstats* rwl,
/var/log/ntpstats/loopstats* rwl,
/var/log/ntpstats/peerstats* rwl,
/var/log/ntpstats/protostats* rwl,
/var/log/ntpstats/rawstats* rwl,
/var/log/ntpstats/sysstats* rwl,
/{,var/}run/ntpd.pid w,
# samba4 ntp signing socket
/{,var/}run/samba/ntp_signd/socket rw,
# For use with clocks that report via shared memory (e.g. gpsd),
# you may need to give ntpd access to all of shared memory, though
# this can be considered dangerous. See https://launchpad.net/bugs/722815
# for details. To enable, add this to local/usr.sbin.ntpd:
# capability ipc_owner,
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.sbin.ntpd>
}
# uname -rpv
4.4.0-38-generic #57-Ubuntu SMP Tue Sep 6 15:42:33 UTC 2016 x86_64
</pre>
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1598759
Title:
incomplete apparmor definition for ntpd
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1598759/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
