Control: tags -1 moreinfo Hi Martin,
Le 2024-10-09 11:14, Martin Maney a écrit :
>
> Package: chrony
> Version: 4.3-2+deb12u1
>
> Similar to old #970421, apparmor blocks chrony from reading
> /sys/class/hwmon/hwmon0/temp1_input, reporting:
>
> audit[2374]: AVC apparmor="DENIED" operation="open"
> profile="/usr/sbin/chronyd"
> name="/sys/devices/pci0000:00/0000:00:18.3/hwmon/hwmon1/temp1_input" pid=2374
> comm="chronyd" requested_mask="r" denied_mask="r" fsuid=102 ouid=0
>
> Apparently apparmor, or the rule as it exists
>
> @{sys}/class/hwmon/hwmon[0-9]*/temp[0-9]*_input r
>
> fails to cope with the common issue in /sys, so many things are
> symlinks! In this case it's /sys/class/hwmon/hwmon0 that is a symlink
> into /sys/devices/pci...
>
> WORKAROUND: just add a symlink in /etc/apparmor.d/disable to the
> chronyd profile and it all works. Truthfully, I have no idea if this
> CAN be fixed using apparemor's capabilities - I'm filing this mostly to
> get the workaround into the record.
As you correctly pointed out, AppArmor is not able to follow symlinks,
so let's try to relax the following rule.
Firstly, could you please re-enable the AppArmor profile and replace:
@{sys}/devices/virtual/thermal/thermal_zone[0-9]*/hwmon[0-9]*/temp[0-9]*_input
r,
with
@{sys}/devices/**/hwmon[0-9]*/temp[0-9]*_input r,
then run:
sudo apparmor_parser -r /etc/apparmor.d/usr.sbin.chronyd
This should allow chronyd to read most temperature sensors without
having to override the AppArmor profile.
Cheers,
Vincent
signature.asc
Description: PGP signature
