Comment 0 for bug 1869629

Revision history for this message
Rich McAllister (rfm) wrote : AppArmor denied accss to /etc/mdns.allow to cronyd

Many repetitions of

audit: type=1400 audit(1585517168.705:63): apparmor="DENIED" operation="open" profile="/usr/sbin/chronyd" name="/etc/mdns.allow" pid=1983815 comm="chronyd" requested_mask="r" denied_mask="r" fsuid=123 ouid=0

in log. I use libnss-mdns for .local name resolution, so /etc/nsswitch.conf contains

hosts: files mdns [NOTFOUND=return] myhostname dns

and /etc/mnds.allow contains the domains to resolve with mDNS (in may case, "local." and "local"; see /usr/share/doc/libnss-mdns/README.html.)

Presumably cronyd calls a gethostbyX() somewhere, thus eventually trickling down through the name service switch and opening /etc/mdns.allow, which the AppArmor profile in the chrony package does not allow.

ProblemType: Bug
DistroRelease: Ubuntu 20.04
Package: chrony 3.5-6ubuntu1
ProcVersionSignature: Ubuntu 5.4.0-18.22-generic 5.4.24
Uname: Linux 5.4.0-18-generic x86_64
NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair
ApportVersion: 2.20.11-0ubuntu21
Architecture: amd64
Date: Sun Mar 29 15:02:39 2020
InstallationDate: Installed on 2020-03-26 (3 days ago)
InstallationMedia: Xubuntu 20.04 LTS "Focal Fossa" - Alpha amd64 (20200326)
ProcEnviron:
 TERM=xterm-256color
 PATH=(custom, no user)
 XDG_RUNTIME_DIR=<set>
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: chrony
UpgradeStatus: No upgrade log present (probably fresh install)