Your message dated Tue, 13 Oct 2020 18:33:37 +0000
with message-id <[email protected]>
and subject line Bug#970421: fixed in chrony 4.0-2
has caused the Debian Bug report #970421,
regarding apparmor limit blocks temperature reading
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
970421: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=970421
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: chrony
Version: 3.4-4

Current apparmor profile for chrony lists
@{sys}/class/hwmon/hwmon[0-9]*/temp[0-9]*_input r,

which is great (and even how I have mine configured -
tempcomp /sys/class/hwmon/hwmon0/temp1_input 1 0 0 0 0) but it doesn't actually 
work. It results in lots of log lines like

Sep 15 23:06:37 gw.as397444.net audit[24397]: AVC apparmor="DENIED" operation="open" profile="/usr/sbin/chronyd" name="/sys/devices/virtual/thermal/thermal_zone0/hwmon0/temp1_input" pid=24397 comm="chronyd" requested_mask="r" denied_mask="r" fsuid=112 ouid=0
Sep 15 23:06:37 gw.as397444.net chronyd[24397]: Could not read temperature from 
/sys/class/hwmon/hwmon0/temp1_input
Sep 15 23:06:37 gw.as397444.net kernel: audit: type=1400 audit(1600225597.313:127): apparmor="DENIED" operation="open" profile="/usr/sbin/chronyd" name="/sys/devices/virtual/thermal/thermal_zone0/hwmon0/temp1_input" pid=24397 comm="chronyd" requested_mask="r" denied_mask="r" fsuid=112 ouid=0

Looks like somehow apparmor is resolving the file to a different path, 
checking, and then failing it.

An extra line like the following fixes it:
@{sys}/devices/virtual/thermal/thermal_zone[0-9]*/hwmon[0-9]*/temp[0-9]*_input 
r,

Matt

--- End Message ---
--- Begin Message ---
Source: chrony
Source-Version: 4.0-2
Done: Vincent Blut <[email protected]>

We believe that the bug you reported is fixed in the latest version of
chrony, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Vincent Blut <[email protected]> (supplier of updated chrony package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 13 Oct 2020 15:59:33 +0200
Source: chrony
Architecture: source
Version: 4.0-2
Distribution: unstable
Urgency: medium
Maintainer: Vincent Blut <[email protected]>
Changed-By: Vincent Blut <[email protected]>
Closes: 970421
Changes:
 chrony (4.0-2) unstable; urgency=medium
 .
   * Merge branch 'experimental' into 'master'.
 .
   * Upload to unstable.
 .
 chrony (4.0-1) experimental; urgency=medium
 .
   * Import upstream version 4.0:
     - This release adds support for the Network Time Security (NTS)
     authentication mechanism (RFC 8915).
     - Please see /usr/share/doc/chrony/NEWS.gz for the release notes.
 .
 chrony (4.0~pre4-2) experimental; urgency=medium
 .
   * debian/postinst:
     - Fix user and group ownership of "/var/lib/chrony" to allow chronyd
     to write in it. This will also fix a regression in the 104-systemdirs
     test.
 .
 chrony (4.0~pre4-1) experimental; urgency=medium
 .
   * Import upstream version 4.0-pre4:
     - Please see /usr/share/doc/chrony/NEWS.gz for the release notes.
 .
   * Merge branch 'master' into experimental. (Closes: #970421)
 .
   * debian/chrony.conf:
     - Use NTP sources from /run/chrony-dhcp.
     - Save NTS keys and cookies in /var/lib/chrony/.
 .
   * debian/[email protected]:
     - Update "chrony-helper" path.
 .
   * debian/chrony.dhcp:
     - Save NTP servers from DHCP to /run/chrony-dhcp/$interface.sources.
 .
   * debian/chrony.lintian-overrides:
     - Override executable-in-usr-lib for NetworkManager dispatcher scripts.
     - Update NetworkManager dispatcher script name.
 .
   * debian/chrony.ppp.ip-{down,up}:
     - Update PID file path.
 .
   * debian/chrony.service:
     - Update PID file path.
     - Do not run 'chrony-helper update-daemon' after starting chronyd. Not
     needed anymore.
 .
   * debian/control:
     - Build-depend on libgnutls28-dev to support NTS.
     - Build-depend on gnutls-bin for the test suite.
     - Bump debhelper-compat to 13.
 .
   * debian/copyright:
     - Update copyright years.
 .
   * debian/dirs:
     - Remove var/log/chrony as it will be created automatically if it doesn’t
     exist.
 .
   * debian/if-{post-down,up}:
     - Update PID file path.
 .
   * debian/init:
     - Update PID file path.
     - Drop the unnecessary '--remove pidfile' option from the stop target.
     - Do not run 'chrony-helper update-daemon' after starting chronyd. Not
     needed anymore.
 .
   * debian/install:
     - Move "chrony-helper" to "/usr/libexec/chrony".
 .
   * debian/links:
     - Update source and destination filenames.
 .
   * debian/patches/:
     - Drop patches applied upstream.
     - Add nm-dispatcher-dhcp_Move-server_dir-to-run.patch.
 .
   * debian/postinst:
     - Drop migration code from pre-Stretch.
     - Migrate NTP sources obtained from DHCP to /run/chrony-dhcp on upgrade
     from chrony < 4.0~pre4-1.
     - Remove staled PID file when upgrading from chrony < 4.0~pre4-1.
 .
   * debian/rules:
     - Change the default PID file location from /run to /run/chrony.
     - Drop dh_missing --fail-missing. This is the default in debhelper 13.
     - Enable seccomp support by default on riscv64.
     - Update NetworkManager dispatcher script name from 20-chrony to
     20-chrony-onoffline.
     - Add DHCP NetworkManager dispatcher script to allow chronyd to use
     NTP sources obtained from NM's internal DHCP client.
 .
   * debian/tests/:
     - Add some helper functions. Some tests will be updated thereafter
     to use them.
 .
   * debian/tests/time-sources-from-dhcp-servers:
     - Adapt to the new way of using time sources from DHCP.
     - Improve sed invocation.
 .
   * debian/tests/upstream-simulation-test-suite:
     - Update clknetsim version.
     - Cosmetic changes.
 .
   * debian/tests/upstream-system-tests:
     - No need to stop systemd-timesyncd anymore since it is no more
     co-installable with chrony anymore.
 .
   * debian/usr.sbin.chronyd:
     - Update PID file path.
     - Add dac_override and dac_read_search capabilities to give "root" the
     ability to write the PID file in /run/chrony/.
     - Prefix flag definition by "flags=".
     - Sort the capabilities.
     - Grant CAP_NET_RAW capability to allow an NTP socket to be bound to a
     device using the SO_BINDTODEVICE socket option on kernels before 5.7.
     - Add comments regarding capabilities.
     - Let chronyd create /var/l{ib,og}/chrony.
     - Remove a superfluous rule.
     - Allow reading of NTP sources in /run/chrony-dhcp/.
 .
   * debian/watch:
     - Make use of special strings.
Checksums-Sha1:
 ebed2246b3510a2e7a2f601e4cea157a29275aa7 2378 chrony_4.0-2.dsc
 1958c473d06ff9f7f56047853e865bd43005748f 34844 chrony_4.0-2.debian.tar.xz
Checksums-Sha256:
 6b61901e687b563244de08f57d77f136698a39d601d50126c890a4a6d90cd0fe 2378 
chrony_4.0-2.dsc
 c2b0be70ebeec812e6c4bb0f469939dd1e58740725ca37b6c164fc6ac6661774 34844 
chrony_4.0-2.debian.tar.xz
Files:
 be1b20a90d097f3c5691fa76479f9706 2378 net optional chrony_4.0-2.dsc
 bd60e69636c3d22a19e62af657a9e376 34844 net optional chrony_4.0-2.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEWLZtSHNr6TsFLeZynFyZ6wW9dQoFAl+F7+kACgkQnFyZ6wW9
dQobQwf+PcVuFYwg0a+6aPLag3veKYe7v9ux3wX4FP49y/XK+RiUXitHdNCZQ7fc
HGbrf/luRsqI7bJ0c8OofgWERTJ6ji2o+INEaIKluKcNeZA7wEpwFKhzZbZxyGo5
hvGEySzqlP0GxqU3Nl7NbxC1zqKKEbusy+6fJACU9TcacpTtOFw88nj4vL2sCeHv
0GdRoN6jADF8W03qjVR5VrMY9fHHAHhzIX8Nq6u+yc3w1UXjfwoFTrn2WI91vWpM
72z7hZhH9tcXOzlzSnOZH+gv3N2faydlR2HawYFSCzhEdemyX06uM/iP0tT7DKJ1
izwp5n2pWHK0Plcpys14q2r2IJMIRg==
=Pq6b
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to