Bug#883022: [pkg-ntp-maintainers] Bug#883022: ntp does not start with current AppArmor profile

Tue, 28 Nov 2017 14:12:51 -0800 

Control: flags -1 + unreproducible

On 28.11.2017 22:26, Nuno Oliveira wrote:

Hello Nuno,

> Package: ntp
> Version: 1:4.2.8p10+dfsg-5
> Severity: important
> 
> Dear Maintainer,
> 
> With the current apparmor profile, the ntp daemon does not start. The log is:
> 
> type=SERVICE_STOP msg=audit(1511903874.826:12511): pid=1 uid=0 
> auid=4294967295 ses=4294967295 msg='unit=ntp comm="systemd" 
> exe="/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
> type=AVC msg=audit(1511903874.837:12512): apparmor="DENIED" operation="open" 
> profile="/usr/sbin/ntpd" name="/usr/local/sbin/" pid=27228 comm="ntpd" 
> requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> type=SYSCALL msg=audit(1511903874.837:12512): arch=c000003e syscall=2 
> success=no exit=-13 a0=7ffd1600eaa0 a1=90800 a2=7ffd1600eab0 a3=0 items=0 
> ppid=1 pid=27228 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 
> sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ntpd" exe="/usr/sbin/ntpd" 
> key=(null)
> type=PROCTITLE msg=audit(1511903874.837:12512): 
> proctitle=2F7573722F7362696E2F6E747064002D70002F7661722F72756E2F6E7470642E706964002D67002D75003130373A313234
> type=AVC msg=audit(1511903874.837:12513): apparmor="DENIED" operation="open" 
> profile="/usr/sbin/ntpd" name="/usr/local/bin/" pid=27228 comm="ntpd" 
> requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> type=SYSCALL msg=audit(1511903874.837:12513): arch=c000003e syscall=2 
> success=no exit=-13 a0=7ffd1600eaa0 a1=90800 a2=7ffd1600eaaf a3=0 items=0 
> ppid=1 pid=27228 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 
> sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ntpd" exe="/usr/sbin/ntpd" 
> key=(null)
> type=PROCTITLE msg=audit(1511903874.837:12513): 
> proctitle=2F7573722F7362696E2F6E747064002D70002F7661722F72756E2F6E7470642E706964002D67002D75003130373A313234
> type=SERVICE_START msg=audit(1511903874.842:12514): pid=1 uid=0 
> auid=4294967295 ses=4294967295 msg='unit=ntp comm="systemd" 
> exe="/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'

I can confirm the apparmor denials, however I cannot reproduce startup
errors caused by this.

root@debiantesting:~# dmesg | grep ntp
[    0.004000] Mountpoint-cache hash table entries: 2048 (order: 2,
16384 bytes)
[    2.340760] audit: type=1400 audit(1511906730.152:5):
apparmor="STATUS" operation="profile_load" profile="unconfined"
name="/usr/sbin/ntpd" pid=356 comm="apparmor_parser"
[    2.430519] audit: type=1400 audit(1511906730.241:6):
apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd"
name="/usr/local/sbin/" pid=396 comm="ntpd" requested_mask="r"
denied_mask="r" fsuid=0 ouid=0
[    2.430521] audit: type=1400 audit(1511906730.241:7):
apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd"
name="/usr/local/bin/" pid=396 comm="ntpd" requested_mask="r"
denied_mask="r" fsuid=0 ouid=0

root@debiantesting:~# pgrep -a ntp
405 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 107:111

ntpq> pe
     remote           refid      st t when poll reach   delay   offset
jitter
==============================================================================
 0.debian.pool.n .POOL.          16 p    -   64    0    0.000    0.000
0.000
 1.debian.pool.n .POOL.          16 p    -   64    0    0.000    0.000
0.000
 2.debian.pool.n .POOL.          16 p    -   64    0    0.000    0.000
0.000
 3.debian.pool.n .POOL.          16 p    -   64    0    0.000    0.000
0.000
 stratum2-4.NTP. 129.70.130.70    2 u   20   64    3   26.691   -0.288
0.645
 isis.uni-paderb .DCF.            1 u   12   64    7   25.275   -0.395
1.016
*ntp0.rrze.uni-e .GPS.            1 u   52   64    7   22.880   -0.537
0.433
 aprs.link       192.53.103.108   2 u   51   64    7   18.672    1.832
0.738
 schubhart.de    131.188.3.222    2 u   66   64    3   18.309   -2.775
0.966
 business-90-187 .PPS.            1 u   62   64    3   30.417   -3.321
1.442

Bernhard

Reply via email to