Dear Vinzenz,
of course. I found lines like this repeating...
/var/log/syslog.1:Jan 27 16:32:53 atppc025 kernel: [76912.418852] audit:
type=1400 audit(1643297573.801:17): apparmor="DENIED" operation="open"
profile="/usr/sbin/chronyd" name="/run/timemaster/chrony.conf"
pid=219959 comm="chronyd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Best,
Michael
On 01.02.22 19:30, Vincent Blut wrote:
Control: tags -1 moreinfo
Hi Michael,
Le 2022-02-01 15:43, Michael Lestinsky a écrit :
Package: chrony
Version: 4.0.8+deb11u1
Dear everyone,
thank you for maintaining the chrony package. While tinkering with a PTP
setup, I discovered a slight inconsistency in the default configuration.
Maybe the maintainers would like to consider the following suggestion:
--- etc/apparmor.d/usr.sbin.chronyd 2021-10-19 22:02:40.000000000 +0200
+++ /etc/apparmor.d/usr.sbin.chronyd 2022-01-27 17:13:59.249409806 +0100
@@ -41,6 +41,7 @@
/etc/chrony/{,**} r,
/var/lib/chrony/{,*} rw,
/var/log/chrony/{,*} rw,
+ @{run}/timemaster/chrony.conf r,
@{run}/chrony/{,*} rw,
@{run}/chrony-dhcp/{,*} r,
Looks good! For the avoidance of doubt, could you please show the denied log
entry AppArmor generates when the above rule is missing?
Best,
Michael
Cheers,
Vincent
