I'm sorry for the very delayed response...If I'm understanding this correctly, you are using a udev rule to create a symlink from /dev/refclock-0 to /dev/ttyUSB0 (or whatever number).
I'm not sure how AppArmor deals with symlinks in this context. Does it work if you just allow the /dev/refclock pattern and not the /dev/ttyUSB pattern?
You can customize for your local device with /etc/apparmor.d/tunables/ntpd. If you only need one device pattern, then you can just fill that in and it's simple. If you need more than one, I'm less sure. The comment in there mentions devices plural, though the variable name is NTPD_DEVICE singular.
This seems to indicate that they can be lists, but I'm not sure if using a list would make sense given where the variable is used:
https://documentation.suse.com/sles/15-SP6/html/SLES-all/cha-apparmor-profiles.html#sec-apparmor-profiles-glob-variablesAnother option might be to use a singular pattern that matches both, e.g. @{NTPD_DEVICE}="/dev/{refclock,USB}[0-9]*"
-- Richard
OpenPGP_signature.asc
Description: OpenPGP digital signature
