Hi Tony,
yeah this is so far only fixed in Bionic (18.04) onwards.
It it not really an issue other than a log message itself (it is not needed for
the opt parsing).
It occurs "only" on NTP start/restart (since it is arg parsing) so it is not
that frequent that it would fill up the log or similar secondary issues.
All that makes it a hard case for the SRU policy [1] to make this change in
releases.
Until then everybody who bothers about the log message can add:
/usr/local/{,s}bin/ r,
to
/etc/apparmor.d/usr.sbin.ntpd
I'm adding X/A bug tasks and set won't fix to mark that more explicitly.
I'm happy to discuss if one thinks this case would qualify fot the SRU
policy - the change itself is easy enough to be done.
[1]: https://wiki.ubuntu.com/StableReleaseUpdates
** Also affects: ntp (Ubuntu Xenial)
Importance: Undecided
Status: New
** Also affects: ntp (Ubuntu Artful)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ntp in Ubuntu.
https://bugs.launchpad.net/bugs/1741227
Title:
apparmor denial to several paths to binaries
Status in ntp package in Ubuntu:
Fix Released
Status in ntp source package in Xenial:
Triaged
Status in ntp source package in Artful:
Triaged
Bug description:
[Impact]
* Apparmor denies access to bin directories which the option parsing code
of ntp touches.
[Test Case]
1. get a container of target release
2. install ntp
apt install ntp
3. watch dmesg on container-host
dmesg -w
4. restart ntp in container
systemctl restart ntp
=> see (or no more after fix) apparmor denie:
apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd"
name="/usr/local/sbin/" pid=23933 comm="ntpd" requested_mask="r" denied_mask="r"
apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd"
name="/usr/local/bin/" pid=23933 comm="ntpd" requested_mask="r" denied_mask="r"
[Regression Potential]
* we are only slightly opening up the apparmor profile, but none of the
changes poses a security risk so regression potential on it's own
should be close to zero.
* we discussed if this would be a security risk but came to the
conclusion that r-only should be ok (the same content anyone can grab
from the archive by installing the packages)
[Other Info]
* n/a
Issue shows up (non fatal) as:
apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd"
name="/usr/local/sbin/" pid=23933 comm="ntpd" requested_mask="r"
denied_mask="r" fsuid=0 ouid=0
apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd"
name="/usr/local/bin/" pid=23933 comm="ntpd" requested_mask="r" denied_mask="r"
fsuid=0 ouid=0
Since non crit this is mostyl about many of us being curious why it
actually does do it :-)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1741227/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
