http://bugzilla.opensuse.org/show_bug.cgi?id=1076247 http://bugzilla.opensuse.org/show_bug.cgi?id=1076247#c3 Achim Gratz <Stromeko@NexGo.DE> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(Stromeko@NexGo.DE | |) | --- Comment #3 from Achim Gratz <Stromeko@NexGo.DE> --- Yes, I have statsdir /var/log/ntpstats as is standard. (In reply to Christian Boltz from comment #2)
One of the upstream developers doubts the 'l' (link) permission is really needed, and since I don't have a stratum-0 refclock, I'd like to ask you to test this ;-)
Huh? What upstream developer was that? If you care to look, the *stat files in that directory are always hardlinked to the *stat20180123 files for the same date and unlinked/relinked on date rollover. So you do need to be able to create hardlinks.
Can you please change your added rule to
/var/log/ntpstats/clockstats* rw,
I can, but it's not much use I think since I don't usually run that machine while the date is rolling over. Also, I think it _will_ fail. But that problem should show on a daemon restart also… let me try.
Then run "rcapparmor reload" and report back if ntpd causes any log events (ALLOWED or DENIED) in /var/log/audit/audit.log? (If you don't have auditd running, check /var/log/messages or journalctl.)
For bonus points, also temporarily remove the 'l' permission from the other /var/log/ntpstats/loopstats* and peerstats* rules, run aa-complain /etc/apparmor.d/usr.sbin.ntpd to switch the profile into complain mode and then provide the audit.log entries ntpd triggers.
As suspected: type=AVC msg=audit(1516740267.681:127): apparmor="ALLOWED" operation="link" profile="/usr/sbin/ntpd" name="/var/log/ntpstats/peerstats" pid=14450 comm="ntpd" requested_mask="l" denied_mask="l" fsuid=74 ouid=74 target="/var/log/ntpstats/peerstats.20180123" type=AVC msg=audit(1516740267.681:128): apparmor="ALLOWED" operation="link" profile="/usr/sbin/ntpd" name="/var/log/ntpstats/clockstats" pid=14450 comm="ntpd" requested_mask="l" denied_mask="l" fsuid=74 ouid=74 target="/var/log/ntpstats/clockstats.20180123" If you want to simplify the rules you might use a glob there and require that everything is owned by ntp/ntp, that should have the same effect. Another thing to add as comment to ntp.conf: mention NTPD_DEVICE and how to add any devices configured for refclocks in /etc/apparmor.d/tunables/ntpd. -- You are receiving this mail because: You are on the CC list for the bug.