[pkg-ntp-maintainers] Bug#883022: Bug#883022: ntp does not start with current AppArmor profile
Nuno Oliveira
nuno at eq.uc.pt
Tue Nov 28 23:15:41 UTC 2017
Hi Bernhard,
* Bernhard Schmidt <berni at debian.org> [2017-11-28 22:10]:
>Control: flags -1 + unreproducible
>
>On 28.11.2017 22:26, Nuno Oliveira wrote:
>
>Hello Nuno,
>
>> Package: ntp
>> Version: 1:4.2.8p10+dfsg-5
>> Severity: important
>>
>> Dear Maintainer,
>>
>> With the current apparmor profile, the ntp daemon does not start. The log is:
>>
>> type=SERVICE_STOP msg=audit(1511903874.826:12511): pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=ntp comm="systemd" exe="/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
>> type=AVC msg=audit(1511903874.837:12512): apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd" name="/usr/local/sbin/" pid=27228 comm="ntpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
>> type=SYSCALL msg=audit(1511903874.837:12512): arch=c000003e syscall=2 success=no exit=-13 a0=7ffd1600eaa0 a1=90800 a2=7ffd1600eab0 a3=0 items=0 ppid=1 pid=27228 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ntpd" exe="/usr/sbin/ntpd" key=(null)
>> type=PROCTITLE msg=audit(1511903874.837:12512): proctitle=2F7573722F7362696E2F6E747064002D70002F7661722F72756E2F6E7470642E706964002D67002D75003130373A313234
>> type=AVC msg=audit(1511903874.837:12513): apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd" name="/usr/local/bin/" pid=27228 comm="ntpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
>> type=SYSCALL msg=audit(1511903874.837:12513): arch=c000003e syscall=2 success=no exit=-13 a0=7ffd1600eaa0 a1=90800 a2=7ffd1600eaaf a3=0 items=0 ppid=1 pid=27228 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ntpd" exe="/usr/sbin/ntpd" key=(null)
>> type=PROCTITLE msg=audit(1511903874.837:12513): proctitle=2F7573722F7362696E2F6E747064002D70002F7661722F72756E2F6E7470642E706964002D67002D75003130373A313234
>> type=SERVICE_START msg=audit(1511903874.842:12514): pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=ntp comm="systemd" exe="/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
>
>I can confirm the apparmor denials, however I cannot reproduce startup
>errors caused by this.
>
>root at debiantesting:~# dmesg | grep ntp
>[ 0.004000] Mountpoint-cache hash table entries: 2048 (order: 2,
>16384 bytes)
>[ 2.340760] audit: type=1400 audit(1511906730.152:5):
>apparmor="STATUS" operation="profile_load" profile="unconfined"
>name="/usr/sbin/ntpd" pid=356 comm="apparmor_parser"
>[ 2.430519] audit: type=1400 audit(1511906730.241:6):
>apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd"
>name="/usr/local/sbin/" pid=396 comm="ntpd" requested_mask="r"
>denied_mask="r" fsuid=0 ouid=0
>[ 2.430521] audit: type=1400 audit(1511906730.241:7):
>apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd"
>name="/usr/local/bin/" pid=396 comm="ntpd" requested_mask="r"
>denied_mask="r" fsuid=0 ouid=0
>
>root at debiantesting:~# pgrep -a ntp
>405 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 107:111
>
>ntpq> pe
> remote refid st t when poll reach delay offset
>jitter
>==============================================================================
> 0.debian.pool.n .POOL. 16 p - 64 0 0.000 0.000
>0.000
> 1.debian.pool.n .POOL. 16 p - 64 0 0.000 0.000
>0.000
> 2.debian.pool.n .POOL. 16 p - 64 0 0.000 0.000
>0.000
> 3.debian.pool.n .POOL. 16 p - 64 0 0.000 0.000
>0.000
> stratum2-4.NTP. 129.70.130.70 2 u 20 64 3 26.691 -0.288
>0.645
> isis.uni-paderb .DCF. 1 u 12 64 7 25.275 -0.395
>1.016
>*ntp0.rrze.uni-e .GPS. 1 u 52 64 7 22.880 -0.537
>0.433
> aprs.link 192.53.103.108 2 u 51 64 7 18.672 1.832
>0.738
> schubhart.de 131.188.3.222 2 u 66 64 3 18.309 -2.775
>0.966
> business-90-187 .PPS. 1 u 62 64 3 30.417 -3.321
>1.442
>
>Bernhard
I have 2 systems where this happens, but I also confirm that this does
not happen on all systems (Debian testing) where ntp is installed. Any
suggestions on how to diagnose this?
Regards,
Nuno.
More information about the pkg-ntp-maintainers
mailing list