[Bug 1771028] Re: Apparmor profile for chronyd needs to allow creation of /var/run/chrony.tty*.sock

Mon, 14 May 2018 01:02:05 -0700 

For SRU later note steps to reproduce:

Trigger #1 - add to chrony conf a line like:
  refclock SOCK /var/run/chrony.ttyS0.sock
(does not need gpsd to really attach, so no special HW needed)

See Deny in dmesg:
[929890.257312] audit: type=1400 audit(1526282225.749:636): apparmor="DENIED" 
operation="mknod" namespace="root//lxd-b_<var-snap-lxd-common-lxd>" 
profile="/usr/sbin/chronyd" name="/run/chrony.ttyS0.sock" pid=13991 
comm="chronyd" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
See Error on socket bind:
  chronyd[19700]: Fatal error : bind() failed


Trigger #2 - add to chrony conf a line like:
  tempcomp /sys/class/hwmon/hwmon0/temp2_input 30 /etc/chrony.tempcomp
(does not need real temp sensor, so no special HW needed)

See Deny in dmesg:
[930097.115771] audit: type=1400 audit(1526282432.609:639): apparmor="DENIED" 
operation="open" namespace="root//lxd-b_<var-snap-lxd-common-lxd>" 
profile="/usr/sbin/chronyd" name="/etc/chrony.tempcomp" pid=14651 
comm="chronyd" requested_mask="r" denied_mask="r" fsuid=114 ouid=0
See Error:
  May 14 07:20:32 b chronyd[19765]: Fatal error : Could not open tempcomp point 
file /etc/chrony.tempcomp
(Once fixed this init is passed, for a fully working temperature compensation 
you'd need special HW of course)


Trigger #3 - add to chrony conf a line like:
  ntpsigndsocket /var/lib/samba/ntp_signd
On Init you see:
  chronyd[19797]: MS-SNTP authentication enabled
In samba ntp_signd is part of the default services and /var/lib/samba/ntp_signd 
is the default path (See man smb.conf).
This would need a rather complex samba setup to fully trigger, but we can 
follow the man pages on that. From that one has to learn that the path is 
actually a dir, so adapt that to be:
  # To sign replies to MS-SNTP clients by the smbd daemon
  /var/lib/samba/ntp_signd r,
  /var/lib/samba/ntp_signd/{,*} rw,
I'd avoid the smb setup for now and trust the man pages - further more we had 
the same rule for ntp (actually with a wrong path as it seems in very old bug 
930266)

All issues gone with the suggested rules - making it part of the merge
proposal as suggested.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1771028

Title:
  Apparmor profile for chronyd needs to allow creation of
  /var/run/chrony.tty*.sock

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/chrony/+bug/1771028/+subscriptions

-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to