** Description changed: + [Impact] + + * An explanation of the effects of the bug on users and + + * justification for backporting the fix to the stable release. + + * In addition, it is helpful, but not required, to include an + explanation of how the upload fixes this bug. + + [Test Case] + + * This is hard to trigger, but then also not. Which means it is not + entirely sorted out when it triggers and when not, but the following + does trigger it in tests of Pitti and also mine (while at the same time + sometimes it does not - mabye I had other guests or kvm instead of lxd) + + * First install ntp in Artful (or above unless fixed) + * Then you have to cause soemthing that ntp "needs" to complain about + in my case I had spawned more virtual guests and NTP failed to bind + on their virtual interface, but you could setup anything else that it + fails on after the initial start (there it passed over to private + TMP) + * Once an issue triggers instead of the error in syslog you'll see the + apparmor Deny like: + apparmor="DENIED" operation="sendmsg" info="Failed name lookup - + disconnected path" error=-13 profile="/usr/sbin/ntpd" + name="run/systemd/journal/dev-log" pid=5600 comm="ntpd" + requested_mask="w" denied_mask="w" fsuid=0 ouid=0 + + [Regression Potential] + + * We are slightly opening up the apparmor profile which is far lower risk + than adding more constraints. So safe from that POV. + + * OTOH one could think this might be a security issue, but in fact this + isn't a new suggestion if you take a look at [1] with an ack by Seth of + the Security Team. + + [Other Info] + + * n/a + + [1]: https://lists.ubuntu.com/archives/apparmor/2015-May/007858.html + + ---- + Merely installing and starting ntp.service in Ubuntu 17.10 now causes this AppArmor violation: audit: type=1400 audit(1508915894.215:25): apparmor="DENIED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/ntpd" name="run/systemd/journal/dev-log" pid=5600 comm="ntpd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0 - (many times). This hasn't happened in earlier Ubuntu releases yet. This was spotted by Cockpit's integration tests, as our "ubuntu-stable" image now moved to 17.10 after its release. ProblemType: Bug DistroRelease: Ubuntu 17.10 Package: ntp 1:4.2.8p10+dfsg-5ubuntu3 ProcVersionSignature: Ubuntu 4.13.0-16.19-generic 4.13.4 Uname: Linux 4.13.0-16-generic x86_64 ApportVersion: 2.20.7-0ubuntu3 Architecture: amd64 Date: Wed Oct 25 03:19:34 2017 SourcePackage: ntp UpgradeStatus: No upgrade log present (probably fresh install)
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1727202 Title: [17.10 regression] AppArmor denial: Failed name lookup - disconnected path To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1727202/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
