[ntp:questions] "pool" directive and 4.2.8p8

Dan Geist dan at polter.net
Mon Nov 14 16:42:37 UTC 2016


Perhaps the fact that the DNS query would result in more than one answer made the gethost* call behave differently from apparmor's perspective. You could simulate the "server" behavior by trying a "pool" directive to a list containing only one host to see if it behaves differently.

Dan

----- Original Message -----
> From: "Kiss Gábor" <kissg at niif.hu>
> To: "Brian Inglis" <Brian.Inglis at SystematicSw.ab.ca>
> Cc: "questions" <questions at lists.ntp.org>
> Sent: Monday, November 14, 2016 11:04:45 AM
> Subject: Re: [ntp:questions] "pool" directive and 4.2.8p8

> Dear Brian,
> 
> Thanks for your mail.
> I started to write a looong answer ... then I somehow I checked the logs.
> 
>> > What did I wrong?
> 
> Oh Jeez!
> Apparmor made me suck again. :-(
> 
> 2016-11-14T16:45:10.717758+01:00 login kernel: [273248.423730] type=1400
> audit(1479138310.715:659): apparmor="DENIED" operation="create" parent=1
> profile="/usr/sbin/ntpd" pid=32274 comm="ntpd" family="unspec"
> sock_type="dgram" protocol=0
> 
> I wonder what is the forbidden operation that "pool" directive requires?
> Strace shows dozens of like this:
> 
> 32274 socket(PF_UNSPEC, SOCK_DGRAM, 0)  = -1 EACCES (Permission denied)
> 
> Investigation in progress...
> 
> Gabor
> _______________________________________________
> questions mailing list
> questions at lists.ntp.org
> http://lists.ntp.org/listinfo/questions


More information about the questions mailing list