Achim Gratz changed bug 1076247
What Removed Added
Flags needinfo?(Stromeko@NexGo.DE)  

Comment # 3 on bug 1076247 from 
Yes, I have
 statsdir /var/log/ntpstats
as is standard.

(In reply to Christian Boltz from comment #2)
> One of the upstream developers doubts the 'l' (link) permission is really
> needed, and since I don't have a stratum-0 refclock, I'd like to ask you to
> test this ;-)

Huh?  What upstream developer was that?  If you care to look, the *stat files
in that directory are always hardlinked to the *stat20180123 files for the same
date and unlinked/relinked on date rollover.  So you do need to be able to
create hardlinks.

> Can you please change your added rule to
> 
>  /var/log/ntpstats/clockstats* rw,

I can, but it's not much use I think since I don't usually run that machine
while the date is rolling over.  Also, I think it _will_ fail.  But that
problem should show on a daemon restart also��� let me try.

> Then run "rcapparmor reload" and report back if ntpd causes any log events
> (ALLOWED or DENIED) in /var/log/audit/audit.log? (If you don't have auditd
> running, check /var/log/messages or journalctl.)
> 
> For bonus points, also temporarily remove the 'l' permission from the other
> /var/log/ntpstats/loopstats* and peerstats* rules, run
>   aa-complain /etc/apparmor.d/usr.sbin.ntpd
> to switch the profile into complain mode and then provide the audit.log
> entries ntpd triggers.

As suspected:

type=AVC msg=audit(1516740267.681:127): apparmor="ALLOWED" operation="link"
profile="/usr/sbin/ntpd" name="/var/log/ntpstats/peerstats" pid=14450
comm="ntpd" requested_mask="l" denied_mask="l" fsuid=74 ouid=74
target="/var/log/ntpstats/peerstats.20180123"                                   
type=AVC msg=audit(1516740267.681:128): apparmor="ALLOWED" operation="link"
profile="/usr/sbin/ntpd" name="/var/log/ntpstats/clockstats" pid=14450
comm="ntpd" requested_mask="l" denied_mask="l" fsuid=74 ouid=74
target="/var/log/ntpstats/clockstats.20180123"                                  

If you want to simplify the rules you might use a glob there and require that
everything is owned by ntp/ntp, that should have the same effect.

Another thing to add as comment to ntp.conf: mention NTPD_DEVICE and how to add
any devices configured for refclocks in /etc/apparmor.d/tunables/ntpd.

You are receiving this mail because: