enabling RTC support is blocked by apparmor
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
chrony (Debian) |
Fix Released
|
Unknown
|
|||
chrony (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
If enabling rtc support:
/etc/chrony/
#rtcsync
rtcfile /var/lib/chrony/rtc
And restarting chrony into that config
$ sudo systemctl restart chrony
It will fail to use that:
Feb 23 09:53:02 bionic-test chronyd[4216]: Could not open /etc/adjtime : No such file or directory
Feb 23 09:53:02 bionic-test chronyd[4216]: Could not open RTC device /dev/rtc : Permission denied
One is an apparmor Deny:
[ 5756.216096] audit: type=1400 audit(151937958
The access to /etc/adjtime would be ok if it exists.
I created it in my setup and it is good now.
But the apparmor profile needs to allow rtc.
Changed in chrony (Debian): | |
status: | Unknown → New |
Changed in chrony (Debian): | |
status: | New → Fix Committed |
Changed in chrony (Ubuntu): | |
status: | New → In Progress |
Changed in chrony (Debian): | |
status: | Fix Committed → Fix Released |
The same applied to:
/dev/pps*
/dev/ptp*
There are actually rules for this, and the problem is that they are read only but chrony needs write as well.
Maybe to some r-only would be ok, but until that is fixed in code (takes time) allow on these devices. They are not terribly security critical in regard to write access fortunately.