# For use with clocks that report via shared memory (e.g. gpsd),
# you may need to give ntpd access to all of shared memory, though
# this can be considered dangerous. See https://launchpad.net/bugs/722815
# for details. To enable, add this to local/usr.sbin.ntpd:
# capability ipc_owner,
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.sbin.ntpd>
}
# uname -rpv
4.4.0-38-generic #57-Ubuntu SMP Tue Sep 6 15:42:33 UTC 2016 x86_64
</pre>
I am suffering from a similar issue, but with slightly different behavior
<pre> isc/unix/ ifiter_ getifaddrs. c:99: unexpected error: isc/unix/ ifiter_ getifaddrs. c:99: unexpected error: 9.696:24) : apparmor="DENIED" operation="create" profile= "/usr/sbin/ ntpd" pid=5683 comm="ntpd" family="netlink" sock_type="raw" protocol=0 requested_ mask="create" denied_ mask="create" 9.700:25) : apparmor="DENIED" operation="create" profile= "/usr/sbin/ ntpd" pid=5683 comm="ntpd" family="netlink" sock_type="raw" protocol=0 requested_ mask="create" denied_ mask="create" 9.700:26) : apparmor="DENIED" operation="create" profile= "/usr/sbin/ ntpd" pid=5683 comm="ntpd" family="netlink" sock_type="raw" protocol=0 requested_ mask="create" denied_ mask="create" 1.356:27) : apparmor="DENIED" operation="create" profile= "/usr/sbin/ ntpd" pid=5683 comm="ntpd" family="netlink" sock_type="raw" protocol=0 requested_ mask="create" denied_ mask="create" archive. ubuntu. com:80/ ubuntu xenial-updates/main amd64 Packages dpkg/status 10.95-0ubuntu2 500 archive. ubuntu. com:80/ ubuntu xenial/main amd64 Packages dfsg-3ubuntu5. 3 dfsg-3ubuntu5. 3 dfsg-3ubuntu5. 3 500 archive. ubuntu. com:80/ ubuntu xenial-updates/main amd64 Packages security. ubuntu. com/ubuntu xenial- security/ main amd64 Packages dpkg/status 4.2.8p4+ dfsg-3ubuntu5 500 archive. ubuntu. com:80/ ubuntu xenial/main amd64 Packages d/usr.sbin. ntpd ------- ------- ------- ------- ------- ------- ------- ------- --- ------- ------- ------- ------- ------- ------- ------- ------- ---
# journalctl -u ntp
Oct 11 10:23:29 lys-stats ntp[5670]: * Starting NTP server ntpd
Oct 11 10:23:29 lys-stats ntpd[5681]: ntpd 4.2.8p4@1.3265-o Wed Oct 5 12:34:45 UTC 2016 (1): Starting
Oct 11 10:23:29 lys-stats ntp[5670]: ...done.
Oct 11 10:23:29 lys-stats systemd[1]: Started LSB: Start NTP daemon.
Oct 11 10:23:29 lys-stats ntpd[5683]: proto: precision = 0.091 usec (-23)
Oct 11 10:23:29 lys-stats ntpd[5683]: restrict 0.0.0.0: KOD does nothing without LIMITED.
Oct 11 10:23:29 lys-stats ntpd[5683]: restrict ::: KOD does nothing without LIMITED.
Oct 11 10:23:29 lys-stats ntpd[5683]: Listen and drop on 0 v6wildcard [::]:123
Oct 11 10:23:29 lys-stats ntpd[5683]: Listen and drop on 1 v4wildcard 0.0.0.0:123
Oct 11 10:23:29 lys-stats ntpd[5683]: ./../lib/
Oct 11 10:23:29 lys-stats ntpd[5683]: getting interface addresses: getifaddrs: Permission denied
Oct 11 10:23:29 lys-stats ntpd[5683]: unable to open routing socket (Permission denied) - using polled interface up
Oct 11 10:23:31 lys-stats ntpd[5683]: ./../lib/
Oct 11 10:23:31 lys-stats ntpd[5683]: getting interface addresses: getifaddrs: Permission denied
# dmesg -T
[Tue Oct 11 10:23:29 2016] audit: type=1400 audit(147617420
[Tue Oct 11 10:23:29 2016] audit: type=1400 audit(147617420
[Tue Oct 11 10:23:29 2016] audit: type=1400 audit(147617420
[Tue Oct 11 10:23:31 2016] audit: type=1400 audit(147617421
# apt-cache policy apparmor
apparmor:
Installed: 2.10.95-0ubuntu2.2
Candidate: 2.10.95-0ubuntu2.2
Version table:
*** 2.10.95-0ubuntu2.2 500
500 http://
100 /var/lib/
2.
500 http://
# apt-cache policy ntp
ntp:
Installed: 1:4.2.8p4+
Candidate: 1:4.2.8p4+
Version table:
*** 1:4.2.8p4+
500 http://
500 http://
100 /var/lib/
1:
500 http://
# cat /etc/ntp.conf
tinker panic 0
disable monitor
restrict -4 default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery
restrict 127.0.0.1
restrict ::1
server pool.ntp.org iburst
driftfile /var/lib/ntp/drift
# cat /etc/apparmor.
# vim:syntax=apparmor
# Updated for Ubuntu by: Jamie Strandboge <email address hidden>
# -------
#
# Copyright (C) 2002-2005 Novell/SUSE
# Copyright (C) 2009-2012 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# -------
#include <tunables/global> nameservice> user-tmp>
#include <tunables/ntpd>
/usr/sbin/ntpd {
#include <abstractions/base>
#include <abstractions/
#include <abstractions/
capability ipc_lock,
capability net_bind_service,
capability setgid,
capability setuid,
capability sys_chroot,
capability sys_resource,
capability sys_time,
capability sys_nice,
# ntp uses AF_INET, AF_INET6 and AF_UNSPEC
network dgram,
network stream,
@{PROC} /net/if_ inet6 r, /*/net/ if_inet6 r,
@{PROC}
@{NTPD_DEVICE} rw,
# pps devices are almost exclusively used with NTP
/dev/pps[0-9]* rw,
/{,s}bin/ r,
/usr/{,s}bin/ r,
/usr/sbin/ntpd rmix,
/etc/ntp.conf r, ntp.conf. dhcp r, ntpd.conf. tmp r, lib/ntp/ ntp.conf. dhcp r,
/etc/
/etc/ntpd.conf r,
/etc/
/var/
/etc/ntp.keys r,
/etc/ntp/** r,
/etc/ntp.drift rwl, ntp.drift. TEMP rwl, lib/ntp/ *drift rw, lib/ntp/ *drift. TEMP rw,
/etc/
/etc/ntp/drift* rwl,
/var/
/var/
/var/log/ntp w, log/ntpstats/ clockstats* rwl, log/ntpstats/ loopstats* rwl, log/ntpstats/ peerstats* rwl, log/ntpstats/ protostats* rwl, log/ntpstats/ rawstats* rwl, log/ntpstats/ sysstats* rwl,
/var/log/ntp.log w,
/var/log/ntpd w,
/var/
/var/
/var/
/var/
/var/
/var/
/{,var/ }run/ntpd. pid w,
# samba4 ntp signing socket }run/samba/ ntp_signd/ socket rw,
/{,var/
# For use with clocks that report via shared memory (e.g. gpsd), /launchpad. net/bugs/ 722815 sbin.ntpd:
# you may need to give ntpd access to all of shared memory, though
# this can be considered dangerous. See https:/
# for details. To enable, add this to local/usr.
# capability ipc_owner,
# Site-specific additions and overrides. See local/README for details. usr.sbin. ntpd>
#include <local/
}
# uname -rpv
4.4.0-38-generic #57-Ubuntu SMP Tue Sep 6 15:42:33 UTC 2016 x86_64
</pre>