http://bugzilla.opensuse.org/show_bug.cgi?id=1076247 http://bugzilla.opensuse.org/show_bug.cgi?id=1076247#c4 --- Comment #4 from Christian Boltz <suse-beta@cboltz.de> --- (In reply to Achim Gratz from comment #3)
Yes, I have statsdir /var/log/ntpstats as is standard.
Good to know, thanks!
(In reply to Christian Boltz from comment #2)
One of the upstream developers doubts the 'l' (link) permission is really needed, and since I don't have a stratum-0 refclock, I'd like to ask you to test this ;-)
Huh? What upstream developer was that?
An upstream AppArmor developer with the goal to keep the profile as restrictive as possible ;-)
If you care to look, the *stat files in that directory are always hardlinked to the *stat20180123 files for the same date and unlinked/relinked on date rollover. So you do need to be able to create hardlinks.
Thanks for the explanation and the additional testing. That makes it obvious that 'l' permissions are really needed.
If you want to simplify the rules you might use a glob there and require that everything is owned by ntp/ntp, that should have the same effect.
That would mean to prefix those rules with the owner keyword: owner /var/log/ntpstats/clockstats* lrw, owner /var/log/ntpstats/loopstats* lrw, owner /var/log/ntpstats/peerstats* lrw, Can you please test if ntpd still works with the owner keyword added?
Another thing to add as comment to ntp.conf: mention NTPD_DEVICE and how to add any devices configured for refclocks in /etc/apparmor.d/tunables/ntpd.
Indeed, that makes sense. -- You are receiving this mail because: You are on the CC list for the bug.