Devuan bug report logs - #607
chrony: AppArmor profile needed between ISC dhcp client and chrony

version graph

Package: chrony; Maintainer for chrony is (unknown); Source for chrony is src:chrony.

Reported by: Steve Egbert <s.egbert@sbcglobal.net>

Date: Thu, 2 Sep 2021 18:32:02 UTC

Severity: minor

Tags: debian

Found in version 3.4-4+deb10u1

Fixed in version 4.0~pre4-1

Done: Mark Hindley <mark@hindley.org.uk>

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to devuan-bugs@lists.dyne.org, s.egbert@sbcglobal.net, devuan-dev@lists.dyne.org:
bug#607; Package chrony. (Thu, 02 Sep 2021 18:32:02 GMT) (full text, mbox, link).


Acknowledgement sent to Steve Egbert <s.egbert@sbcglobal.net>:
New bug report received and forwarded. Copy sent to s.egbert@sbcglobal.net, devuan-dev@lists.dyne.org. (Thu, 02 Sep 2021 18:32:06 GMT) (full text, mbox, link).


Message #5 received at submit@bugs.devuan.org (full text, mbox, reply):

From: Steve Egbert <s.egbert@sbcglobal.net>
To: Devuan Bug Tracking System <submit@bugs.devuan.org>
Subject: chrony: AppArmor profile needed between ISC dhcp client and chrony
Date: Thu, 02 Sep 2021 11:35:25 -0400
Package: chrony
Version: 3.4-4+deb10u1
Severity: minor
Tags: d-i

Dear Maintainer,

*** Reporter, please consider answering these questions, where appropriate ***

   * What led up to the situation?
   * What exactly did you do (or not do) that was effective (or
     ineffective)?
   * What was the outcome of this action?
   * What outcome did you expect instead?

*** End of the template - remove these template lines ***


This chronyd daemon configuration-reading 
bug (/etc/chrony/chrony.conf) occurs ONLY when 
using ALL of the following:

   * dhclient (ISC DHCP client)
   * chrony   (Chrony NTP time server)
   * apparmor (Application Armor)

WHAT DID I DO?

I merely installed the following those 3 packages:

   apt install isc-dhcp-client chrony apparmor

The NTP server IP address(es) supplied by 
a (remote) DHCP server gets written 
into /var/lib/dhcp/chrony.server.eth1 file
and later read by chronyd daemon at startup.

OUTCOME

AppArmor reported that a file permission error 
while chronyd daemon was reading the 
/var/lib/dhcp/chrony.server.eth1 file.

WORKAROUND

Adding the following two files into /etc/apparmor.d/local
fixes this problem.

/etc/apparmor.d/local/sbin.dhclient.chronyd

    /var/lib/dhcp/chrony.server.* wrix,

/etc/apparmor.d/local/usr.sbin.chronyd.dhclient

    /var/lib/dhcp/chrony.server.* r,

then reload the AppArmor

    /etc/init.d/apparmor reload
    ifdown eth1
    ifup eth1
    ip addr list eth1


CONCLUSION

Ideally, two things probably needs to happen:

1.  Move (yet NOT append, but kept separate) those local 
    (but inter-package-related) apparmor files out of
    the local subdirectory and into the corresponding main 
    AppArmor config direcetory found in the 
    /etc/apparmor.d/ subdirectory

2.  During Debian post install scripting, some kind of
    dependency logic is required to do both removal and
    addition of those two AppArmor files depending on:

    A.  Both chrony and isc-dhcp-client are installed: install
        these two AppArmor files.

    B.  Only chrony are installed: check if isc-dhcp-client
        package is not installed, then remove the two AppArmor 
        inter-package-specific files.

    C.  Only isc-dhcp-client are installed: check if chrony
        package is not installed, then remove the two
        AppArmor inter-package files.

    D.  If 'apt purge' is used, always purge these two files.


Since chronyd is on the receiving end of this NTP
server IP address information, it would make more sense
to place the isc-dhcp-client/chrony inter-package 
dependency logic inside the chrony package (unless
there is some grander Debian design of handling
AppArmor that I am not aware of).

-- System Information:
Distributor ID:	Devuan
Description:	Devuan GNU/Linux 3 (beowulf)
Release:	3
Codename:	beowulf
Architecture: x86_64

Kernel: Linux 5.10.46d1-no-mod-minfs (SMP w/4 CPU cores)
Kernel taint flags: TAINT_WARN
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
LSM: AppArmor: enabled

Versions of packages chrony depends on:
ii  adduser              3.118
ii  init-system-helpers  1.56+nmu1+devuan3
ii  iproute2             4.20.0-2+deb10u1
ii  libc6                2.28-10
ii  libcap2              1:2.25-2
ii  libedit2             3.1-20181209-1
ii  libnettle6           3.4.1-1+deb10u1
ii  libseccomp2          2.3.3-4
ii  lsb-base             10.2019051400
ii  ucf                  3.0038+nmu1

chrony recommends no packages.

Versions of packages chrony suggests:
ii  bind9-dnsutils [dnsutils]  1:9.16.15-1~bpo10+1
pn  networkd-dispatcher        <none>

-- no debconf information

Information forwarded to devuan-bugs@lists.dyne.org, devuan-dev@lists.dyne.org:
bug#607; Package chrony. (Fri, 03 Sep 2021 09:12:02 GMT) (full text, mbox, link).


Message #8 received at 607@bugs.devuan.org (full text, mbox, reply):

From: Mark Hindley <mark@hindley.org.uk>
To: Steve Egbert <s.egbert@sbcglobal.net>, 607@bugs.devuan.org
Subject: Re: bug#607: chrony: AppArmor profile needed between ISC dhcp client and chrony
Date: Fri, 3 Sep 2021 10:08:36 +0100
Control: tags -1 debian

Steve,

Thanks for this.

On Thu, Sep 02, 2021 at 11:35:25AM -0400, Steve Egbert wrote:
> Package: chrony
> Version: 3.4-4+deb10u1
> Severity: minor
> Tags: d-i

Neither chrony nor isc-dhcp-client are forked packages and Devuan uses Debian's
packages directly without recompilation. Please report this issue to Debian's
BTS to be addressed.

Many thanks.

Mark

Added tag(s) debian. Request was from Mark Hindley <mark@hindley.org.uk> to 607-submit@bugs.devuan.org. (Fri, 03 Sep 2021 09:12:06 GMT) (full text, mbox, link).


Information forwarded to devuan-bugs@lists.dyne.org, devuan-dev@lists.dyne.org:
bug#607; Package chrony. (Fri, 03 Sep 2021 09:22:01 GMT) (full text, mbox, link).


Reply sent to Mark Hindley <mark@hindley.org.uk>:
You have taken responsibility. (Wed, 15 Feb 2023 16:08:01 GMT) (full text, mbox, link).


Notification sent to Steve Egbert <s.egbert@sbcglobal.net>:
bug acknowledged by developer. (Wed, 15 Feb 2023 16:08:03 GMT) (full text, mbox, link).


Message #18 received at 607-done@bugs.devuan.org (full text, mbox, reply):

From: Mark Hindley <mark@hindley.org.uk>
To: Steve Egbert <s.egbert@sbcglobal.net>, 607-done@bugs.devuan.org
Subject: Re: bug#607: chrony: AppArmor profile needed between ISC dhcp client and chrony
Date: Wed, 15 Feb 2023 16:05:37 +0000
Version: 4.0~pre4-1

Chrony now saves NTP servers configured over DHCP to /run/chrony-dhcp/$interface.sources.
I believe that resolves this issue.

Closing.

Mark

Send a report that this bug log contains spam.


Devuan BTS -- Powered by Debian bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.

Devuan Bugs Owner <owner@bugs.devuan.org>.
Last modified: Thu Mar 28 14:49:08 2024;