I'm seeing a similar issue: Feb 18 12:02:12 fidelity kernel: [ 55.945224] audit: type=1400 audit(1518984132.951:11): apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd" name="/usr/local/sbin/" pid=2474 comm="ntpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Feb 18 12:02:12 fidelity kernel: [ 55.945230] audit: type=1400 audit(1518984132.951:12): apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd" name="/usr/local/bin/" pid=2474 comm="ntpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
I think that part of the problem is that I have /usr/local in my path: # ps ax | grep ntp ntp 2563 0.0 0.1 10020 3044 ? Ssl 12:02 0:00 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 111:113 # cat /proc/2563/environ JOURNAL_STREAM=9:19427PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/binINVOCATION_ID=5defcd39b2f748c39d7b90e20b4f2469LANG=en_USPWD=/ so I assume that it's searching the path for a binary. the /usr/local bit is defined in /etc/profile it works for me, so not going to worry about it for now.
