Comment # 5 on bug 1076247 from 
(In reply to Christian Boltz from comment #4)
> > If you want to simplify the rules you might use a glob there and require
> > that everything is owned by ntp/ntp, that should have the same effect.
> 
> That would mean to prefix those rules with the owner keyword:
> 
>   owner /var/log/ntpstats/clockstats* lrw,
>   owner /var/log/ntpstats/loopstats* lrw,
>   owner /var/log/ntpstats/peerstats* lrw,
> 
> Can you please test if ntpd still works with the owner keyword added?

type=AVC msg=audit(1516818577.469:120): apparmor="STATUS"
operation="profile_replace" profile="unconfined" name="/usr/sbin/ntpd" pid=4485
comm="apparmor_parser"

So it seems to work.  However, I thought to simplify those rules along the
lines of

  owner /var/log/ntpstats/*stats* lrw,

or even
  owner /var/log/ntpstats/* lrw,

(if the number of rules is the objective here).  The directory already is
"drwxr-xr-x 1 ntp ntp", so I don't think there'd be an appreciable loss in
security with that slightly widened rule.

You are receiving this mail because: