From IRC here the content of Pauls file - it has all we'd expect:
# grep 'run.*/chrony' /etc/apparmor.d/usr.sbin.chronyd
# For /run/chrony to be created
@{run}/chrony/{,*} rw,
@{run}/chrony-dhcp/{,*} r,
# Example gpsd socket is outside @{run}/chrony/
@{run}/chrony.tty{,*}.sock rw,
@{run}/timemaster/chrony.conf r,
Sadly, even on his system it is now no more reproducible (when removing the rule he added it still works).
Looking for the original denial showed no denial in Pauls logs.
So it seems the "apparmor fix" was a red-herring and just fixed by the restart.
Theory: maybe the profile wasn't reloaded on upgrade?
But then it would show a denial and it didn't.
Also chrony has the common reload in postinst:
$ grep appa /var/lib/dpkg/info/chro*postinst
/var/lib/dpkg/info/chrony.postinst:# Automatically added by dh_apparmor/3.0.3-0ubuntu6
/var/lib/dpkg/info/chrony.postinst: APP_PROFILE="/etc/apparmor.d/usr.sbin.chronyd"
/var/lib/dpkg/info/chrony.postinst: LOCAL_APP_PROFILE="/etc/apparmor.d/local/usr.sbin.chronyd"
/var/lib/dpkg/info/chrony.postinst: apparmor_parser -r -T -W "$APP_PROFILE" || true
From IRC here the content of Pauls file - it has all we'd expect:
# grep 'run.*/chrony' /etc/apparmor. d/usr.sbin. chronyd /chrony/ {,*} rw, /chrony- dhcp/{, *} r, /chrony. tty{,*} .sock rw, /timemaster/ chrony. conf r,
# For /run/chrony to be created
@{run}
@{run}
# Example gpsd socket is outside @{run}/chrony/
@{run}
@{run}
Sadly, even on his system it is now no more reproducible (when removing the rule he added it still works).
Looking for the original denial showed no denial in Pauls logs.
So it seems the "apparmor fix" was a red-herring and just fixed by the restart.
Theory: maybe the profile wasn't reloaded on upgrade?
But then it would show a denial and it didn't.
Also chrony has the common reload in postinst: dpkg/info/ chro*postinst dpkg/info/ chrony. postinst: # Automatically added by dh_apparmor/ 3.0.3-0ubuntu6 dpkg/info/ chrony. postinst: APP_PROFILE= "/etc/apparmor. d/usr.sbin. chronyd" dpkg/info/ chrony. postinst: LOCAL_APP_ PROFILE= "/etc/apparmor. d/local/ usr.sbin. chronyd" dpkg/info/ chrony. postinst: apparmor_parser -r -T -W "$APP_PROFILE" || true
$ grep appa /var/lib/
/var/lib/
/var/lib/
/var/lib/
/var/lib/