Comment # 2
on bug 1076247
from Christian Boltz
One of the upstream developers doubts the 'l' (link) permission is really
needed, and since I don't have a stratum-0 refclock, I'd like to ask you to
test this ;-)
Can you please change your added rule to
/var/log/ntpstats/clockstats* rw,
Then run "rcapparmor reload" and report back if ntpd causes any log events
(ALLOWED or DENIED) in /var/log/audit/audit.log? (If you don't have auditd
running, check /var/log/messages or journalctl.)
For bonus points, also temporarily remove the 'l' permission from the other
/var/log/ntpstats/loopstats* and peerstats* rules, run
aa-complain /etc/apparmor.d/usr.sbin.ntpd
to switch the profile into complain mode and then provide the audit.log entries
ntpd triggers.
Note: complain mode allows everything and logs what would be denied, so even if
something is missing in the profile, ntpd will work.
To switch the profile back to enforce mode, run
aa-enforce /etc/apparmor.d/usr.sbin.ntpd