Bug#1007747: bullseye-pu: package chrony/4.0-8+deb11u2

Vincent Blut Tue, 15 Mar 2022 17:09:26 -0700

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian....@packages.debian.org
Usertags: pu


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi,

[ Reason ]
The AppArmor profile for chronyd does not include a rule to read the chronyd
configuration file generated by the timemaster program.

[ Impact ]
Without the proposed fix, users must override the Apparmor profile (or at worse
set the profile to complain mode) to flowlessly use chronyd with timemaster.

[ Tests ]
I checked that AppArmor no longer sends 'denied' log entries as seen in
#1004745 when using chronyd with timemaster.

[ Risks ]
Low. An equivalent fix sits in testing/unstable for over a month now without
any regression so far.

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
Adding a rule in the AppArmor profile to allow chronyd to read the
configuration file /run/timemaster/chrony.conf

Cheers,
Vincent

-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQSRJQjHKbAUfuoc+DAQn1qAt/bgAQUCYjEp0AAKCRAQn1qAt/bg
AT7sAQDwqm/E7R4J1CelQmf5dq9+BUU5BRzBxgboHwcfU6N1WwD/Scx21KLyOQdJ
89J1VMvMWWCQDPENpd8SLsVGwEDrPwY=
=L1xq
-----END PGP SIGNATURE-----

diff -Nru chrony-4.0/debian/changelog chrony-4.0/debian/changelog
--- chrony-4.0/debian/changelog 2021-10-19 22:02:40.000000000 +0200
+++ chrony-4.0/debian/changelog 2022-03-14 22:17:25.000000000 +0100
@@ -1,3 +1,11 @@
+chrony (4.0-8+deb11u2) bullseye; urgency=medium
+
+  * debian/usr.sbin.chronyd:
+    - Allow reading the chronyd configuration file that timemaster(8)
+    generates. Thanks to Michael Lestinsky for the report! (Closes: #1004745)
+
+ -- Vincent Blut <vincent.deb...@free.fr>  Mon, 14 Mar 2022 22:17:25 +0100
+
 chrony (4.0-8+deb11u1) bullseye; urgency=medium
 
   * debian/patches/:
diff -Nru chrony-4.0/debian/usr.sbin.chronyd chrony-4.0/debian/usr.sbin.chronyd
--- chrony-4.0/debian/usr.sbin.chronyd  2021-10-19 22:02:40.000000000 +0200
+++ chrony-4.0/debian/usr.sbin.chronyd  2022-03-14 22:17:25.000000000 +0100
@@ -67,6 +67,9 @@
   /dev/pps[0-9]* rw,
   /dev/ptp[0-9]* rw,
 
+  # Allow reading the chronyd configuration file that timemaster(8) generates
+  @{run}/timemaster/chrony.conf r,
+
   # For use with clocks that report via shared memory (e.g. gpsd),
   # you may need to give ntpd access to all of shared memory, though
   # this can be considered dangerous. See https://launchpad.net/bugs/722815

Bug#1007747: bullseye-pu: package chrony/4.0-8+deb11u2

Reply via email to