Control: tags -1 pending On Mon, May 14, 2018 at 10:54:25AM +0200, Christian Ehrhardt wrote:
Package: chrony Version: 3.3-1 Severity: normalHi,
Hello Christian,
the chrony.conf man page suggests a few more paths that are now yet allowed by the apparmor profile. I think it is fine to consider all too awkward use cases "special" and direct them to the local include for apparmor, but those that are in the man page we should consider "common" and allow (IMHO).
I very much agree! As a consequence, this should make our AppArmor profile even more usable by other distros.
Therefore I'd ask you to consider the following from [1]:
# Support all paths suggested in the man page (LP: #1771028). Assume these
# are common use cases; others should be set as local include (see below).
# Configs using a 'chrony.' prefix like the tempcomp config file example
/etc/chrony.* r,
# Example gpsd socket is outside /{,var/}run/chrony/
/{,var/}run/chrony.tty{,*}.sock rw,
# To sign replies to MS-SNTP clients by the smbd daemon
/var/lib/samba/ntp_signd r,
/var/lib/samba/ntp_signd/{,*} rw,
[1]:
https://git.launchpad.net/~paelzer/ubuntu/+source/chrony/commit/?h=merge-cosmic-3.3-1&id=13339a04e989639c736b79b75b901be6ac561b76
Applied, thanks!
-- Christian Ehrhardt Christian Ehrhardt Software Engineer, Ubuntu Server Canonical Ltd
Cheers, Vincent
signature.asc
Description: PGP signature
