Bug#1007745: buster-pu: package chrony/3.4-4+deb10u2
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hi,
[ Reason ]
The AppArmor profile for chronyd does not include a rule to read the chronyd
configuration file generated by the timemaster program.
[ Impact ]
Without the proposed fix, users must override the Apparmor profile (or at worse
set the profile to complain mode) to flowlessly use chronyd with timemaster.
[ Tests ]
I checked that AppArmor no longer sends 'denied' log entries as seen in
#1004745 when using chronyd with timemaster.
[ Risks ]
Low. An equivalent fix sits in testing/unstable for over a month now without
any regression so far.
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Adding a rule in the AppArmor profile to allow chronyd to read the
configuration file /run/timemaster/chrony.conf
Cheers,
Vincent
-----BEGIN PGP SIGNATURE-----
iHUEARYKAB0WIQSRJQjHKbAUfuoc+DAQn1qAt/bgAQUCYjEhAwAKCRAQn1qAt/bg
ARIMAQDhOqCNkBnilT1AOQfJKVilWa909Qm/lfAPopWsSnBmHgEAoUTteuwrv0HM
Q/mTQmEg0kLhzYZ3BoujiNnP5iGHqgk=
=bn+y
-----END PGP SIGNATURE-----
diff -Nru chrony-3.4/debian/changelog chrony-3.4/debian/changelog
--- chrony-3.4/debian/changelog 2020-09-16 13:44:04.000000000 +0200
+++ chrony-3.4/debian/changelog 2022-03-15 13:45:14.000000000 +0100
@@ -1,3 +1,11 @@
+chrony (3.4-4+deb10u2) buster; urgency=medium
+
+ * debian/usr.sbin.chronyd:
+ - Allow reading the chronyd configuration file that timemaster(8)
+ generates. Thanks to Michael Lestinsky for the report! (Closes: #1004745)
+
+ -- Vincent Blut <vincent.debian@free.fr> Tue, 15 Mar 2022 13:45:14 +0100
+
chrony (3.4-4+deb10u1) buster; urgency=medium
* debian/patches/:
diff -Nru chrony-3.4/debian/usr.sbin.chronyd chrony-3.4/debian/usr.sbin.chronyd
--- chrony-3.4/debian/usr.sbin.chronyd 2020-09-16 13:44:04.000000000 +0200
+++ chrony-3.4/debian/usr.sbin.chronyd 2022-03-15 13:45:14.000000000 +0100
@@ -50,6 +50,9 @@
/dev/pps[0-9]* rw,
/dev/ptp[0-9]* rw,
+ # Allow reading the chronyd configuration file that timemaster(8) generates
+ /{,var/}run/timemaster/chrony.conf r,
+
# For use with clocks that report via shared memory (e.g. gpsd),
# you may need to give ntpd access to all of shared memory, though
# this can be considered dangerous. See https://launchpad.net/bugs/722815
Reply to: