:: [devuan-dev] bug#607: chrony: AppAr…
Startseite
Nachricht löschen
Nachricht beantworten
Autor: Steve Egbert
Datum:  
To: Devuan Bug Tracking System
Betreff: [devuan-dev] bug#607: chrony: AppArmor profile needed between ISC dhcp client and chrony
Spam detection software, running on the system "tupac3.dyne.org",
has identified this incoming email as possible spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
@@CONTACT_ADDRESS@@ for details.

Content preview: Package: chrony Version: 3.4-4+deb10u1 Severity: minor Tags:
d-i Dear Maintainer, *** Reporter, please consider answering these questions,
where appropriate ***

Content analysis details: (5.1 points, 5.0 required)

 pts rule name              description
---- ---------------------- --------------------------------------------------
 3.6 RCVD_IN_PBL            RBL: Received via a relay in Spamhaus PBL
                            [71.121.183.2 listed in zen.spamhaus.org]
 0.9 SPF_FAIL               SPF: sender does not match SPF record (fail)
[SPF failed: Please see http://www.openspf.org/Why?s=mfrom;id=devuanbugs%40dyne.org;ip=71.121.183.2;r=tupac3.dyne.org]
 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level
                            mail domains are different
 0.0 RCVD_IN_SORBS_DUL      RBL: SORBS: sent directly from dynamic IP
                            address
                            [71.121.183.2 listed in dnsbl.sorbs.net]
 0.4 RDNS_DYNAMIC           Delivered to internal network by host with
                            dynamic-looking rDNS



Package: chrony
Version: 3.4-4+deb10u1
Severity: minor
Tags: d-i

Dear Maintainer,

*** Reporter, please consider answering these questions, where appropriate ***

   * What led up to the situation?
   * What exactly did you do (or not do) that was effective (or
     ineffective)?
   * What was the outcome of this action?
   * What outcome did you expect instead?


*** End of the template - remove these template lines ***


This chronyd daemon configuration-reading
bug (/etc/chrony/chrony.conf) occurs ONLY when
using ALL of the following:

* dhclient (ISC DHCP client)
* chrony (Chrony NTP time server)
* apparmor (Application Armor)

WHAT DID I DO?

I merely installed the following those 3 packages:

apt install isc-dhcp-client chrony apparmor

The NTP server IP address(es) supplied by
a (remote) DHCP server gets written
into /var/lib/dhcp/chrony.server.eth1 file
and later read by chronyd daemon at startup.

OUTCOME

AppArmor reported that a file permission error
while chronyd daemon was reading the
/var/lib/dhcp/chrony.server.eth1 file.

WORKAROUND

Adding the following two files into /etc/apparmor.d/local
fixes this problem.

/etc/apparmor.d/local/sbin.dhclient.chronyd

    /var/lib/dhcp/chrony.server.* wrix,


/etc/apparmor.d/local/usr.sbin.chronyd.dhclient

    /var/lib/dhcp/chrony.server.* r,


then reload the AppArmor

    /etc/init.d/apparmor reload
    ifdown eth1
    ifup eth1
    ip addr list eth1



CONCLUSION

Ideally, two things probably needs to happen:

1.  Move (yet NOT append, but kept separate) those local 
    (but inter-package-related) apparmor files out of
    the local subdirectory and into the corresponding main 
    AppArmor config direcetory found in the 
    /etc/apparmor.d/ subdirectory


2.  During Debian post install scripting, some kind of
    dependency logic is required to do both removal and
    addition of those two AppArmor files depending on:


    A.  Both chrony and isc-dhcp-client are installed: install
        these two AppArmor files.


    B.  Only chrony are installed: check if isc-dhcp-client
        package is not installed, then remove the two AppArmor 
        inter-package-specific files.


    C.  Only isc-dhcp-client are installed: check if chrony
        package is not installed, then remove the two
        AppArmor inter-package files.


    D.  If 'apt purge' is used, always purge these two files.



Since chronyd is on the receiving end of this NTP
server IP address information, it would make more sense
to place the isc-dhcp-client/chrony inter-package
dependency logic inside the chrony package (unless
there is some grander Debian design of handling
AppArmor that I am not aware of).

-- System Information:
Distributor ID:    Devuan
Description:    Devuan GNU/Linux 3 (beowulf)
Release:    3
Codename:    beowulf
Architecture: x86_64


Kernel: Linux 5.10.46d1-no-mod-minfs (SMP w/4 CPU cores)
Kernel taint flags: TAINT_WARN
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
LSM: AppArmor: enabled

Versions of packages chrony depends on:
ii  adduser              3.118
ii  init-system-helpers  1.56+nmu1+devuan3
ii  iproute2             4.20.0-2+deb10u1
ii  libc6                2.28-10
ii  libcap2              1:2.25-2
ii  libedit2             3.1-20181209-1
ii  libnettle6           3.4.1-1+deb10u1
ii  libseccomp2          2.3.3-4
ii  lsb-base             10.2019051400
ii  ucf                  3.0038+nmu1


chrony recommends no packages.

Versions of packages chrony suggests:
ii  bind9-dnsutils [dnsutils]  1:9.16.15-1~bpo10+1
pn  networkd-dispatcher        <none>


-- no debconf information