Bug#904040: [pkg-apparmor] Bug#904040: openntpd: Apparmor denies logging
Hi Dererk, I'm fully quoting below Seth Arnold's reply (that was send to pkg-apparmor-team@ only) and will reply below. Seth Arnold: > On Wed, Jul 18, 2018 at 08:05:29PM -0300, Dererk wrote: >> I was reported about a bug on the way an apparmor profile behaves. >> It appears to me that this issue might be tightly related to the way >> apparmor is compiled on Ubuntu, since all my attempts to find similar >> reports get isolated to Ubuntu's reports and bug fixes. >> >> Would you be kind in advice on how to proceed with this? Is this possible to >> be hit on Debian installations? If its not, Is it safe to apply it on Debian >> without backfiring? > Hello Dererk, > This is not unique to systemd, nor Ubuntu; any time a process may use a > file descriptor that refers to a file that does not exist in the process's > mount namespace, whether via explicit namespace use, or chroot, or being > passed descriptors across an exec or Unix domain socket. > Systemd just makes these cases really easy to recreate. > The flags=(attach_disconnected) fix is safe to apply; we don't use it > as a default setting because we'd really like to have a better solution > in the long run. But if you're currently not logging due to this issue, or > the program fails to run at all because it cannot log, then waiting for a > better solution is far from ideal. Fully agreed: at least for now, if flags=(attach_disconnected) fixes user-visible issues, it'll be good enough ⇒ feel free to add it :) Cheers, -- intrigeri
Bug#904040: openntpd: Apparmor denies logging
user pkg-apparmor-t...@lists.alioth.debian.org usertags #904040 + help-needed thanks Dear App Armor Team! I was reported about a bug on the way an apparmor profile behaves. It appears to me that this issue might be tightly related to the way apparmor is compiled on Ubuntu, since all my attempts to find similar reports get isolated to Ubuntu's reports and bug fixes. Would you be kind in advice on how to proceed with this? Is this possible to be hit on Debian installations? If its not, Is it safe to apply it on Debian without backfiring? Thanks in advance Your #1 fan, \d On 18/07/18 14:06, Stefano Rivera wrote: Package: openntpd Version: 1:6.2p3-1 Severity: normal Tags: patch Can't reproduce this in a quick check in Debian, but I can see it on Ubuntu 18.04 machines, and this patch does the trick. AppArmor denies openntpd access to syslog: [1690592.258663] audit: type=1400 audit(1531921190.778:1052): apparmor="DENIED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/ntpd" name="run/systemd/journal/dev-log" pid=2708 comm="ntpd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0 This seems to be a known issue with apparmor + systemd https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1373070 And the workaround is a patch like this (which has already been applied to ntpd). SR -- BOFH excuse #154: You can tune a file system, but you can't tune a fish (from most tunefs man pages)
Bug#904040: openntpd: Apparmor denies logging
Package: openntpd
Version: 1:6.2p3-1
Severity: normal
Tags: patch
Can't reproduce this in a quick check in Debian, but I can see it on
Ubuntu 18.04 machines, and this patch does the trick.
AppArmor denies openntpd access to syslog:
> [1690592.258663] audit: type=1400 audit(1531921190.778:1052):
> apparmor="DENIED" operation="sendmsg" info="Failed name lookup - disconnected
> path" error=-13 profile="/usr/sbin/ntpd" name="run/systemd/journal/dev-log"
> pid=2708 comm="ntpd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
This seems to be a known issue with apparmor + systemd
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1373070
And the workaround is a patch like this (which has already been applied
to ntpd).
SR
diff -Nru openntpd-6.2p3/debian/apparmor-profile openntpd-6.2p3/debian/apparmor-profile
--- openntpd-6.2p3/debian/apparmor-profile 2017-10-31 17:44:20.0 -0700
+++ openntpd-6.2p3/debian/apparmor-profile 2018-07-18 10:01:06.0 -0700
@@ -1,7 +1,7 @@
# vim:syntax=apparmor
#include
-/usr/sbin/ntpd {
+/usr/sbin/ntpd flags=(attach_disconnected) {
#include
#include
