[pkg-ntp-maintainers] Bug#861727: apparmor permissions for winbind
Christian Ehrhardt
christian.ehrhardt at canonical.com
Wed May 3 08:49:45 UTC 2017
Package: ntp
Version: 1:4.2.8p10+dfsg-1
Hi,
while clearing out for the next merge of ntp in Ubuntu I collected a set of
changes worth to be fixed in Debian as well. So contributing those changes
here for you to pick up.
When using windbind fully set up and with apparmor enabled you will get
ntpd denies like the following:
May 17 16:23:15 bo kernel: [ 27.598551] type=1400 audit(1463494995.048:18):
apparmor="DENIED" operation="connect" profile="/usr/sbin/ntpd"
name="/run/samba/winbindd/pipe" pid=1517 comm="ntpd" requested_mask="rw"
denied_mask="rw" fsuid=0 ouid=0
The change itselt would be rather easy and in a discussion no one saw a
security risk in opening this up:
diff --git a/debian/apparmor-profile b/debian/apparmor-profile
index 644dc29..d92ac64 100644
--- a/debian/apparmor-profile
+++ b/debian/apparmor-profile
@@ -71,6 +71,9 @@
# samba4 ntp signing socket
/{,var/}run/samba/ntp_signd/socket rw,
+ # samba4 winbindd pipe
+ /run/samba/winbindd/pipe rw,
+
# For use with clocks that report via shared memory (e.g. gpsd),
# you may need to give ntpd access to all of shared memory, though
# this can be considered dangerous. See https://launchpad.net/bugs/722815
--
Christian Ehrhardt
Software Engineer, Ubuntu Server
Canonical Ltd
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-ntp-maintainers/attachments/20170503/223eafc0/attachment.html>
More information about the pkg-ntp-maintainers
mailing list