I have since upgraded to 18.10 and I don't even see an apparmor profile for ntp anymore.
-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_- Eskimo North Linux Friendly Internet Access, Shell Accounts, and Hosting. Knowledgeable human assistance, not telephone trees or script readers. See our web site: http://www.eskimo.com/ (206) 812-0051 or (800) 246-6874. On Tue, 27 Nov 2018, Seth Arnold wrote: > Date: Tue, 27 Nov 2018 01:07:37 -0000 > From: Seth Arnold <1727...@bugs.launchpad.net> > To: nan...@eskimo.com > Subject: [Bug 1727202] Re: [17.10 regression] AppArmor ntp denial: Failed name > lookup - disconnected path > > Andrew, you could try adding: > > flags=(attach_disconnected) > > to the profile attachment line: > > /usr/sbin/ntpd flags=(attach_disconnected) { > > And add: > > /run/systemd/journal/dev-log w, > > to the profile, then run: > > apparmor_parser --replace /etc/apparmor.d/usr.sbin.ntpd # or whatever > the filename is > > See if that lets you get useful logs, any new messages in dmesg or > auditd logs, etc. > > Thanks > > ** Also affects: openntpd (Ubuntu) > Importance: Undecided > Status: New > > -- > You received this bug notification because you are subscribed to a > duplicate bug report (1739943). > https://bugs.launchpad.net/bugs/1727202 > > Title: > [17.10 regression] AppArmor ntp denial: Failed name lookup - > disconnected path > > Status in ntp package in Ubuntu: > Fix Released > Status in openntpd package in Ubuntu: > New > Status in ntp source package in Xenial: > Invalid > Status in openntpd source package in Xenial: > New > Status in ntp source package in Zesty: > Invalid > Status in openntpd source package in Zesty: > New > Status in ntp source package in Artful: > Fix Released > Status in openntpd source package in Artful: > New > Status in ntp source package in Bionic: > Fix Released > Status in openntpd source package in Bionic: > New > > Bug description: > [Impact] > > * NTP has new isolation features which makes it trigger apparmor issues. > * Those apparmor issues not only clutter the log and make other things > less readable, they also prevent ntp from reporting its actual > messages. > * Fix is opening the apparmor profile to follow ntp through the > disconnect by the isolation feature. > > [Test Case] > > * This is hard to trigger, but then also not. Which means it is not > entirely sorted out when it triggers and when not, but the following > does trigger it in tests of Pitti and also mine (while at the same time > sometimes it does not - mabye I had other guests or kvm instead of lxd) > > * First install ntp in Artful (or above unless fixed) > * Install ntp and check demsg for denies > * Once an issue triggers instead of the error in syslog you'll see the > apparmor Deny like: > apparmor="DENIED" operation="sendmsg" info="Failed name lookup - > disconnected path" error=-13 profile="/usr/sbin/ntpd" > name="run/systemd/journal/dev-log" pid=5600 comm="ntpd" > requested_mask="w" denied_mask="w" fsuid=0 ouid=0 > > [Regression Potential] > > * We are slightly opening up the apparmor profile which is far lower risk > than adding more constraints. So safe from that POV. > > * OTOH one could think this might be a security issue, but in fact this > isn't a new suggestion if you take a look at [1] with an ack by Seth of > the Security Team. > > [Other Info] > > * n/a > > [1]: https://lists.ubuntu.com/archives/apparmor/2015-May/007858.html > > ---- > > Merely installing and starting ntp.service in Ubuntu 17.10 now causes > this AppArmor violation: > > audit: type=1400 audit(1508915894.215:25): apparmor="DENIED" > operation="sendmsg" info="Failed name lookup - disconnected path" > error=-13 profile="/usr/sbin/ntpd" name="run/systemd/journal/dev-log" > pid=5600 comm="ntpd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0 > > (many times). This hasn't happened in earlier Ubuntu releases yet. > > This was spotted by Cockpit's integration tests, as our "ubuntu- > stable" image now moved to 17.10 after its release. > > ProblemType: Bug > DistroRelease: Ubuntu 17.10 > Package: ntp 1:4.2.8p10+dfsg-5ubuntu3 > ProcVersionSignature: Ubuntu 4.13.0-16.19-generic 4.13.4 > Uname: Linux 4.13.0-16-generic x86_64 > ApportVersion: 2.20.7-0ubuntu3 > Architecture: amd64 > Date: Wed Oct 25 03:19:34 2017 > SourcePackage: ntp > UpgradeStatus: No upgrade log present (probably fresh install) > > To manage notifications about this bug go to: > https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1727202/+subscriptions > -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1727202 Title: [17.10 regression] AppArmor ntp denial: Failed name lookup - disconnected path To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1727202/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs