[pkg-ntp-maintainers] Bug#883022: Bug#883022: ntp does not start with current AppArmor profile

Nuno Oliveira nuno at eq.uc.pt
Tue Nov 28 23:15:41 UTC 2017 

Hi Bernhard,

* Bernhard Schmidt <berni at debian.org> [2017-11-28 22:10]:
>Control: flags -1 + unreproducible
>
>On 28.11.2017 22:26, Nuno Oliveira wrote:
>
>Hello Nuno,
>
>> Package: ntp
>> Version: 1:4.2.8p10+dfsg-5
>> Severity: important
>>
>> Dear Maintainer,
>>
>> With the current apparmor profile, the ntp daemon does not start. The log is:
>>
>> type=SERVICE_STOP msg=audit(1511903874.826:12511): pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=ntp comm="systemd" exe="/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
>> type=AVC msg=audit(1511903874.837:12512): apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd" name="/usr/local/sbin/" pid=27228 comm="ntpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
>> type=SYSCALL msg=audit(1511903874.837:12512): arch=c000003e syscall=2 success=no exit=-13 a0=7ffd1600eaa0 a1=90800 a2=7ffd1600eab0 a3=0 items=0 ppid=1 pid=27228 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ntpd" exe="/usr/sbin/ntpd" key=(null)
>> type=PROCTITLE msg=audit(1511903874.837:12512): proctitle=2F7573722F7362696E2F6E747064002D70002F7661722F72756E2F6E7470642E706964002D67002D75003130373A313234
>> type=AVC msg=audit(1511903874.837:12513): apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd" name="/usr/local/bin/" pid=27228 comm="ntpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
>> type=SYSCALL msg=audit(1511903874.837:12513): arch=c000003e syscall=2 success=no exit=-13 a0=7ffd1600eaa0 a1=90800 a2=7ffd1600eaaf a3=0 items=0 ppid=1 pid=27228 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ntpd" exe="/usr/sbin/ntpd" key=(null)
>> type=PROCTITLE msg=audit(1511903874.837:12513): proctitle=2F7573722F7362696E2F6E747064002D70002F7661722F72756E2F6E7470642E706964002D67002D75003130373A313234
>> type=SERVICE_START msg=audit(1511903874.842:12514): pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=ntp comm="systemd" exe="/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
>
>I can confirm the apparmor denials, however I cannot reproduce startup
>errors caused by this.
>
>root at debiantesting:~# dmesg | grep ntp
>[    0.004000] Mountpoint-cache hash table entries: 2048 (order: 2,
>16384 bytes)
>[    2.340760] audit: type=1400 audit(1511906730.152:5):
>apparmor="STATUS" operation="profile_load" profile="unconfined"
>name="/usr/sbin/ntpd" pid=356 comm="apparmor_parser"
>[    2.430519] audit: type=1400 audit(1511906730.241:6):
>apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd"
>name="/usr/local/sbin/" pid=396 comm="ntpd" requested_mask="r"
>denied_mask="r" fsuid=0 ouid=0
>[    2.430521] audit: type=1400 audit(1511906730.241:7):
>apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd"
>name="/usr/local/bin/" pid=396 comm="ntpd" requested_mask="r"
>denied_mask="r" fsuid=0 ouid=0
>
>root at debiantesting:~# pgrep -a ntp
>405 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 107:111
>
>ntpq> pe
>     remote           refid      st t when poll reach   delay   offset
>jitter
>==============================================================================
> 0.debian.pool.n .POOL.          16 p    -   64    0    0.000    0.000
>0.000
> 1.debian.pool.n .POOL.          16 p    -   64    0    0.000    0.000
>0.000
> 2.debian.pool.n .POOL.          16 p    -   64    0    0.000    0.000
>0.000
> 3.debian.pool.n .POOL.          16 p    -   64    0    0.000    0.000
>0.000
> stratum2-4.NTP. 129.70.130.70    2 u   20   64    3   26.691   -0.288
>0.645
> isis.uni-paderb .DCF.            1 u   12   64    7   25.275   -0.395
>1.016
>*ntp0.rrze.uni-e .GPS.            1 u   52   64    7   22.880   -0.537
>0.433
> aprs.link       192.53.103.108   2 u   51   64    7   18.672    1.832
>0.738
> schubhart.de    131.188.3.222    2 u   66   64    3   18.309   -2.775
>0.966
> business-90-187 .PPS.            1 u   62   64    3   30.417   -3.321
>1.442
>
>Bernhard

I have 2 systems where this happens, but I also confirm that this does 
not happen on all systems (Debian testing) where ntp is installed. Any 
suggestions on how to diagnose this?

Regards,

Nuno.

More information about the pkg-ntp-maintainers mailing list