Control: tags -1 - moreinfo + pending
Le 2022-02-01 19:43, Michael Lestinsky a écrit :
> On 01.02.22 19:30, Vincent Blut wrote:
> > Control: tags -1 moreinfo
> >
> > Hi Michael,
> >
> > Le 2022-02-01 15:43, Michael Lestinsky a écrit :
> > > Package: chrony
> > > Version: 4.0.8+deb11u1
> > >
> > > Dear everyone,
> > >
> > > thank you for maintaining the chrony package. While tinkering with a PTP
> > > setup, I discovered a slight inconsistency in the default configuration.
> > > Maybe the maintainers would like to consider the following suggestion:
> > >
> > > --- etc/apparmor.d/usr.sbin.chronyd 2021-10-19 22:02:40.000000000
> > > +0200
> > > +++ /etc/apparmor.d/usr.sbin.chronyd 2022-01-27 17:13:59.249409806
> > > +0100
> > > @@ -41,6 +41,7 @@
> > > /etc/chrony/{,**} r,
> > > /var/lib/chrony/{,*} rw,
> > > /var/log/chrony/{,*} rw,
> > > + @{run}/timemaster/chrony.conf r,
> > > @{run}/chrony/{,*} rw,
> > > @{run}/chrony-dhcp/{,*} r,
> >
> > Looks good! For the avoidance of doubt, could you please show the denied log
> > entry AppArmor generates when the above rule is missing?
> >
> > > Best,
> > > Michael
> >
> > Cheers,
> > Vincent
>
> Dear Vinzenz,
>
> of course. I found lines like this repeating...
>
> /var/log/syslog.1:Jan 27 16:32:53 atppc025 kernel: [76912.418852] audit:
> type=1400 audit(1643297573.801:17): apparmor="DENIED" operation="open"
> profile="/usr/sbin/chronyd" name="/run/timemaster/chrony.conf" pid=219959
> comm="chronyd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0Great! Thanks Michael. This issue will first be fixed in testing/unstable and then in bullseye and buster. Since the next point releases for those two is not yet planned, you'll have to override the shipped Apparmor profile in the meantime. Cheers, Vincent
signature.asc
Description: PGP signature
