Package: chrony
Version: 4.3-2+deb12u1
Similar to old #970421, apparmor blocks chrony from reading
/sys/class/hwmon/hwmon0/temp1_input, reporting:
audit[2374]: AVC apparmor="DENIED" operation="open"
profile="/usr/sbin/chronyd"
name="/sys/devices/pci0000:00/0000:00:18.3/hwmon/hwmon1/temp1_input" pid=2374
comm="chronyd" requested_mask="r" denied_mask="r" fsuid=102 ouid=0
Apparently apparmor, or the rule as it exists
@{sys}/class/hwmon/hwmon[0-9]*/temp[0-9]*_input r
fails to cope with the common issue in /sys, so many things are
symlinks! In this case it's /sys/class/hwmon/hwmon0 that is a symlink
into /sys/devices/pci...
WORKAROUND: just add a symlink in /etc/apparmor.d/disable to the
chronyd profile and it all works. Truthfully, I have no idea if this
CAN be fixed using apparemor's capabilities - I'm filing this mostly to
get the workaround into the record.
Thanks for the chrony package, but apparmor is like spam -
whack-a-mole, standing on its head.
--
But... they make things up. And that’s not a current bug
that can be easily fixed in the future: it’s fundamental
to how a language model works. -- Simon Willison
