[ntp:questions] "pool" directive and 4.2.8p8

Kiss Gábor kissg at niif.hu
Mon Nov 14 19:29:14 UTC 2016


> > 2016-11-14T16:45:10.717758+01:00 login kernel: [273248.423730]
> > type=1400 audit(1479138310.715:659): apparmor="DENIED"
> > operation="create" parent=1 profile="/usr/sbin/ntpd" pid=32274
> > comm="ntpd" family="unspec" sock_type="dgram" protocol=0

> Seems like apparmor is only good for blocking protocols,
> not selective ports - the following should allow family unspec:
> 	network udp, # allow access to udp ipv4 and ipv6 addresses
> You may also have to open port 123 in that system's network filters.

In this SLES 12 SP1 the factory default profile for ntpd contains
  network inet dgram,
  network inet stream,
  network inet6 stream,

I added local extensions but nor "network udp" neither
"network inet6 dgram" helped.

Here is a very similar bug:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1546455

I tried "network unspec dgram" too but it is syntax error according
the parser.
See https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1546455/comments/5
So this apparmor is unpatched yet.

Finally I loaded ntpd profile with -C (complain) option that resulted
log entries like this:

2016-11-14T20:06:39.633728+01:00 login kernel: [285337.339186] type=1400 audit(1479150399.631:727): apparmor="ALLOWED" operation="create" parent=1 profile="/usr/sbin/ntpd" pid=1135 comm="ntpd" family="unspec" sock_type="dgram" protocol=0

However ntpd does not see any peers yet.

That's all for this evening...

Gabor


More information about the questions mailing list