I just diagnosed that openntpd on my 18.04.2 server to be broken
(failing to run, the process died after the apparmor denials, no time
adjustments ever happening) until I manually applied the changes
mentioned in #34.
Neither flags=(attach_disconnected) or "/run/systemd/journal/dev-log w,"
had
(Sadly the bug tracker won't let me change the status from "Won't Fix"
to "Confirmed")
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1727202
Title:
[17.10 regression] AppArmor ntp denial: Failed
With chrony taking over for ntpd and the usage of openntpd dropping next to
none this really became less and less important over time. It is fixed in ntpd
and not affecting chrony.
For openntp it seems to be an issue but we wait for a reply to comment #34 as
far as I read through the updates.
** No longer affects: ntp (Ubuntu Xenial)
** No longer affects: ntp (Ubuntu Zesty)
** No longer affects: openntpd (Ubuntu Xenial)
** No longer affects: openntpd (Ubuntu Zesty)
** Changed in: openntpd (Ubuntu Artful)
Status: Confirmed => Won't Fix
--
You received this bug notification
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: openntpd (Ubuntu Artful)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1727202
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: openntpd (Ubuntu Zesty)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1727202
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: openntpd (Ubuntu Xenial)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1727202
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: openntpd (Ubuntu Bionic)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1727202
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: openntpd (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1727202
Title:
Right, the disconnected flag is in the openntpd (usr.sbin.ntpd) profile,
but not the journal one:
/run/systemd/journal/dev-log w,
What triggers the journal DENIED error? I see it was in the same DENIED
message then had the "disconnected" complaint, but I can't trigger it
(as the bug said in the
Right, the disconnected flag is in the openntpd (usr.sbin.ntpd) profile,
but not the journal one:
/run/systemd/journal/dev-log w,
What triggers the journal DENIED error? I see it was in the same DENIED
message then had the "disconnected" complaint, but I can't trigger it
(as the bug said in the
On Tue, Nov 27, 2018 at 01:22:10AM -, Robert Dinse wrote:
> I have since upgraded to 18.10 and I don't even see an apparmor profile
> for ntp anymore.
That's curious. This is in the source package:
# vim:syntax=apparmor
#include
/usr/sbin/ntpd flags=(attach_disconnected) {
#include
727202] Re: [17.10 regression] AppArmor ntp denial: Failed name
> lookup - disconnected path
>
> Andrew, you could try adding:
>
> flags=(attach_disconnected)
>
> to the profile attachment line:
>
> /usr/sbin/ntpd flags=(attach_disconnected) {
>
> And add:
>
> /ru
Andrew, you could try adding:
flags=(attach_disconnected)
to the profile attachment line:
/usr/sbin/ntpd flags=(attach_disconnected) {
And add:
/run/systemd/journal/dev-log w,
to the profile, then run:
apparmor_parser --replace /etc/apparmor.d/usr.sbin.ntpd # or whatever
the filename is
Note that this also appears to affect openntpd in the same fashion, see
following for log excerpt of a fresh 18.04 install with the latest
openntpd installation:
Nov 23 13:27:34 gbjcdc01 kernel: [1542242.548426] audit: type=1400
audit(1542941854.500:97): apparmor="DENIED" operation="sendmsg"
@Tim - Could you check the ntp apparmor profile if it has the change that was
made in 1:4.2.8p10+dfsg-5ubuntu4 ?
It is a conffile so if depending on your former changes it might have been not
updated by default.
Essentially if /etc/apparmor.d/usr.sbin.ntpd has
flags=(attach_disconnected) ?
--
Problem still present in 18.04
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1727202
Title:
[17.10 regression] AppArmor ntp denial: Failed name lookup -
disconnected path
To manage notifications
The most plausible explanation for enumerating /usr/local/bin/ is that
ntpd has some hooks.d/ mechanism which gets called after syncing the
time, and that runs a shell in between. So IMHO this should be allowed.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which
FYI - The curiosity of the /usr/local denials will be checked in bug
1741227
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1727202
Title:
[17.10 regression] AppArmor ntp denial: Failed name lookup
This bug was fixed in the package ntp - 1:4.2.8p10+dfsg-5ubuntu3.1
---
ntp (1:4.2.8p10+dfsg-5ubuntu3.1) artful; urgency=medium
* debian/apparmor-profile: add attach_disconnected which is needed in some
cases to let ntp report its log messages (LP: #1727202).
-- Christian
Discussion lead a bit off of that, but yes it synced for me in a KVM
test.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1727202
Title:
[17.10 regression] AppArmor ntp denial: Failed name lookup -
Has anyone actually checked that the new build of ntpd actually still
works, please (eg. can sync the time)? If not, please could somebody
check that?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
Hi Seth, I never checked why it does so but it puzzled me as well, but
whatever it is, it is one of those issues that is a) not really critical
and b) tries to hide (I spawned X/A guests and containers, no more
triggering to take a look at the stack traces of the open - I'm sure it
will be back
Thanks Martin for verifying!
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1727202
Title:
[17.10 regression] AppArmor ntp denial: Failed name lookup -
disconnected path
To manage notifications
Note for comment #22 - I also had B KVM guests and containers now - but
it really hides from me today :-)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1727202
Title:
[17.10 regression] AppArmor
I locally ran Cockpit tests on our current Ubuntu 17.10 image and re-
confirm that I got the "disconnected path" error. I then upgraded the
ntp package to artful-proposed, and *that* violation is now gone. As
others already saw, I now get a test failure on
apparmor="DENIED" operation="open"
Why does ntpd try to enumerate the contents of /usr/local/bin/? This in
itself isn't so bad but it certainly is curious.
Thanks
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1727202
Title:
[17.10
While I see the non-crit "other" issue with opening its own binary I can
not confirm the disconnected path issue in a current xenial guest.
Since we knew this appears when trigging the running service to emit an error
message I tried to force such an error message. I knew on later releases I
At the same time, @Martin are you going to test this with Cockpit or
manually against (A-)proposed or should I do so?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1727202
Title:
[17.10 regression]
Thanks Gordon for the extra info.
There are two things in this actually.
1. the disconnected path goes back more release than assumed
I added tasks since Xenial on the bug here, but even if (for whatever
reason) we would decide
not to push that to X/Z it would not affect the Artful SRu to
This isn't a 17.10 regression - it's been happening for a few years,
e.g.:
https://bugs.launchpad.net/mos/+bug/1475019
And, FWIW, I added the flags=(attach_disconnected) to the config file
yesterday on one of my systems and whereas it does seem to have removed
the operation="sendmsg"
** Summary changed:
- [17.10 regression] AppArmor denial: Failed name lookup - disconnected path
+ [17.10 regression] AppArmor ntp denial: Failed name lookup - disconnected path
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
32 matches
Mail list logo
