Package: chrony
Version: 3.3-1
Severity: normal
Hi,
the chrony.conf man page suggests a few more paths that are now yet allowed
by the apparmor profile. I think it is fine to consider all too awkward use
cases "special" and direct them to the local include for apparmor, but
those that are in the man page we should consider "common" and allow (IMHO).
Therefore I'd ask you to consider the following from [1]:
# Support all paths suggested in the man page (LP: #1771028). Assume these
# are common use cases; others should be set as local include (see below).
# Configs using a 'chrony.' prefix like the tempcomp config file example
/etc/chrony.* r,
# Example gpsd socket is outside /{,var/}run/chrony/
/{,var/}run/chrony.tty{,*}.sock rw,
# To sign replies to MS-SNTP clients by the smbd daemon
/var/lib/samba/ntp_signd r,
/var/lib/samba/ntp_signd/{,*} rw,
[1]:
https://git.launchpad.net/~paelzer/ubuntu/+source/chrony/commit/?h=merge-cosmic-3.3-1&id=13339a04e989639c736b79b75b901be6ac561b76
--
Christian Ehrhardt
Software Engineer, Ubuntu Server
Canonical Ltd
