Ubuntu
ntp package

Bug #1598759
Activity log

Activity log for bug #1598759

Date	Who	What changed	Old value	New value	Message
2016-07-04 09:19:24	knz	bug			added bug
2016-07-04 09:19:49	knz	summary	missing apparmor definition for ntpd	incomplete apparmor definition for ntpd
2016-08-03 06:50:57	dino99	bug task added		apparmor (Ubuntu)
2016-08-03 06:54:51	dino99	tags		xenial yakkety
2016-08-03 06:57:06	Launchpad Janitor	apparmor (Ubuntu): status	New	Confirmed
2016-08-03 06:57:06	Launchpad Janitor	ntp (Ubuntu): status	New	Confirmed
2016-08-10 18:29:08	Robie Basak	ntp (Ubuntu): importance	Undecided	High
2016-08-10 18:29:16	Robie Basak	tags	xenial yakkety	bitesize xenial yakkety
2016-08-10 18:29:52	Robie Basak	bug			added subscriber Ubuntu Server Team
2016-08-10 20:51:04	Robie Basak	ntp (Ubuntu): assignee		Joshua Powers (powersj)
2016-08-30 20:29:22	Alberto Salvia Novella	apparmor (Ubuntu): importance	Undecided	High
2016-08-31 05:48:13	dino99	tags	bitesize xenial yakkety	bitesize xenial
2016-09-04 14:39:40	sanford rockowitz	bug			added subscriber sanford rockowitz
2016-09-07 22:08:32	Joshua Powers	ntp (Ubuntu): status	Confirmed	Incomplete
2016-09-07 22:08:44	Joshua Powers	apparmor (Ubuntu): status	Confirmed	Incomplete
2016-09-07 22:29:08	Joshua Powers	bug			added subscriber Joshua Powers
2016-10-11 21:54:03	Tyler Hicks	summary	incomplete apparmor definition for ntpd	AppArmor nameservice abstraction doesn't allow communication with systemd-resolve
2016-10-11 22:00:09	Tyler Hicks	ntp (Ubuntu): status	Incomplete	Invalid
2016-10-11 22:00:20	Tyler Hicks	apparmor (Ubuntu): assignee		Tyler Hicks (tyhicks)
2016-10-11 22:00:24	Tyler Hicks	apparmor (Ubuntu): status	Incomplete	Triaged
2016-10-11 22:00:58	Tyler Hicks	bug task added		apparmor
2016-10-11 22:01:10	Tyler Hicks	summary	AppArmor nameservice abstraction doesn't allow communication with systemd-resolve	AppArmor nameservice abstraction doesn't allow communication with systemd-resolved
2016-10-11 22:01:20	Tyler Hicks	apparmor: status	New	In Progress
2016-10-11 22:01:22	Tyler Hicks	apparmor: importance	Undecided	High
2016-10-11 22:01:24	Tyler Hicks	apparmor: assignee		Tyler Hicks (tyhicks)
2016-10-12 02:59:54	Tyler Hicks	description	On this plain install of Xenial apparmor complains about ntpd: [ 19.379152] audit: type=1400 audit(1467623330.386:27): apparmor="DENIED" operation="connect" profile="/usr/sbin/ntpd" name="/run/dbus/system_bus_socket" pid=4513 comm="ntpd" requested_mask="wr" denied_mask="wr" fsuid=121 ouid=0 [ 20.379299] audit: type=1400 audit(1467623331.386:28): apparmor="DENIED" operation="connect" profile="/usr/sbin/ntpd" name="/run/dbus/system_bus_socket" pid=4513 comm="ntpd" requested_mask="wr" denied_mask="wr" fsuid=121 ouid=0 [ 22.426246] audit: type=1400 audit(1467623333.434:29): apparmor="DENIED" operation="connect" profile="/usr/sbin/ntpd" name="/run/dbus/system_bus_socket" pid=4513 comm="ntpd" requested_mask="wr" denied_mask="wr" fsuid=121 ouid=0 [ 22.771326] audit: type=1400 audit(1467623333.782:30): apparmor="DENIED" operation="connect" profile="/usr/sbin/ntpd" name="/run/dbus/system_bus_socket" pid=4513 comm="ntpd" requested_mask="wr" denied_mask="wr" fsuid=121 ouid=0 [ 23.568548] audit: type=1400 audit(1467623334.574:31): apparmor="DENIED" operation="connect" profile="/usr/sbin/ntpd" name="/run/dbus/system_bus_socket" pid=4513 comm="ntpd" requested_mask="wr" denied_mask="wr" fsuid=121 ouid=0 Adding the following line to /etc/apparmor.d/usr.sbin.ntpd fixes the problem: #include <abstractions/dbus-strict>	[ Impact ] Processes confined by AppArmor profiles making use of the nameservice AppArmor abstraction are unable to access the systemd-resolved network name resolution service. The nsswitch.conf file shipped in Yakkety puts the nss-resolve plugin to use which talks to systemd-resolved over D-Bus. The D-Bus communication is blocked for the confined processes described above and those processes will fallback to the traditional means of name resolution. [ Test Case ] * Use ntpd to test: $ sudo apt-get install -y ntp ... $ sudo systemctl stop ntp # in another terminal, watch for AppArmor denials $ dmesg -w # in the original terminal, start ntp $ sudo systemctl start ntp # You'll see a number of denials on the system_bus_socket file: audit: type=1400 audit(1476240762.854:35): apparmor="DENIED" operation="connect" profile="/usr/sbin/ntpd" name="/run/dbus/system_bus_socket" pid=3867 comm="ntpd" requested_mask="wr" denied_mask="wr" fsuid=126 ouid=0 * Use tcpdump to test: # Capture traffic on whichever network interface you're currently using $ sudo tcpdump -i eth0 # Look in /var/log/syslog for denials on the system_bus_socket file: audit: type=1400 audit(1476240896.021:40): apparmor="DENIED" operation="connect" profile="/usr/sbin/tcpdump" name="/run/dbus/system_bus_socket" pid=4106 comm="tcpdump" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0 In both situations, ntpd and tcpdump will seemingly work as expected due to the name resolution fallback configured in nsswitch.conf. However, neither confined process will be using systemd-resolved for name resolution. [ Regression Potential ] This fix will allow ntp, tcpdump, cupsd, dhclient, and other confined-by-default programs to start using systemd-resolved. There is some potential for regression since those applications have not been previously using systemd-resolved. [ Original bug description ] On this plain install of Xenial apparmor complains about ntpd: [ 19.379152] audit: type=1400 audit(1467623330.386:27): apparmor="DENIED" operation="connect" profile="/usr/sbin/ntpd" name="/run/dbus/system_bus_socket" pid=4513 comm="ntpd" requested_mask="wr" denied_mask="wr" fsuid=121 ouid=0 [ 20.379299] audit: type=1400 audit(1467623331.386:28): apparmor="DENIED" operation="connect" profile="/usr/sbin/ntpd" name="/run/dbus/system_bus_socket" pid=4513 comm="ntpd" requested_mask="wr" denied_mask="wr" fsuid=121 ouid=0 [ 22.426246] audit: type=1400 audit(1467623333.434:29): apparmor="DENIED" operation="connect" profile="/usr/sbin/ntpd" name="/run/dbus/system_bus_socket" pid=4513 comm="ntpd" requested_mask="wr" denied_mask="wr" fsuid=121 ouid=0 [ 22.771326] audit: type=1400 audit(1467623333.782:30): apparmor="DENIED" operation="connect" profile="/usr/sbin/ntpd" name="/run/dbus/system_bus_socket" pid=4513 comm="ntpd" requested_mask="wr" denied_mask="wr" fsuid=121 ouid=0 [ 23.568548] audit: type=1400 audit(1467623334.574:31): apparmor="DENIED" operation="connect" profile="/usr/sbin/ntpd" name="/run/dbus/system_bus_socket" pid=4513 comm="ntpd" requested_mask="wr" denied_mask="wr" fsuid=121 ouid=0 Adding the following line to /etc/apparmor.d/usr.sbin.ntpd fixes the problem: #include <abstractions/dbus-strict>
2016-10-13 06:22:23	Martin Pitt	nominated for series		Ubuntu Yakkety
2016-10-13 06:22:23	Martin Pitt	bug task added		ntp (Ubuntu Yakkety)
2016-10-13 06:22:23	Martin Pitt	bug task added		apparmor (Ubuntu Yakkety)
2016-10-13 06:22:54	Martin Pitt	apparmor (Ubuntu Yakkety): status	Triaged	Fix Committed
2016-10-13 06:22:57	Martin Pitt	bug			added subscriber Ubuntu Stable Release Updates Team
2016-10-13 06:23:00	Martin Pitt	bug			added subscriber SRU Verification
2016-10-13 06:23:07	Martin Pitt	tags	bitesize xenial	bitesize verification-needed xenial
2016-10-13 20:26:55	Tyler Hicks	tags	bitesize verification-needed xenial	bitesize verification-done xenial
2016-10-13 20:28:40	Tyler Hicks	apparmor: status	In Progress	Triaged
2016-10-13 20:28:40	Tyler Hicks	apparmor: assignee	Tyler Hicks (tyhicks)
2016-10-13 20:48:03	Christian Boltz	tags	bitesize verification-done xenial	aa-policy bitesize verification-done xenial
2016-10-19 17:57:34	Jared Fernandez	bug			added subscriber Jared Fernandez
2016-10-20 06:12:27	Launchpad Janitor	apparmor (Ubuntu): status	Fix Committed	Fix Released
2016-10-20 19:45:47	Martin Pitt	removed subscriber Ubuntu Stable Release Updates Team
2016-10-20 19:45:46	Launchpad Janitor	apparmor (Ubuntu Yakkety): status	Fix Committed	Fix Released
2017-01-31 23:08:35	John Johansen	apparmor: status	Triaged	Fix Released
2017-01-31 23:29:32	Tyler Hicks	apparmor: status	Fix Released	Triaged
2017-07-23 22:46:03	Václav Haisman	bug			added subscriber Václav Haisman
2017-07-23 22:46:15	Václav Haisman	tags	aa-policy bitesize verification-done xenial	aa-policy bitesize verification-done xenial zesty

Ubuntuntp package

Activity log for bug #1598759

Ubuntu
ntp package