Bug#1007747: bullseye-pu: package chrony/4.0-8+deb11u2

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1007747: bullseye-pu: package chrony/4.0-8+deb11u2
From: Vincent Blut <vincent.debian@free.fr>
Date: Wed, 16 Mar 2022 01:05:36 +0100
Message-id: <[🔎] 164738913672.204101.3803854073968799076.reportbug@lamella>
Reply-to: Vincent Blut <vincent.debian@free.fr>, 1007747@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi,

[ Reason ]
The AppArmor profile for chronyd does not include a rule to read the chronyd
configuration file generated by the timemaster program.

[ Impact ]
Without the proposed fix, users must override the Apparmor profile (or at worse
set the profile to complain mode) to flowlessly use chronyd with timemaster.

[ Tests ]
I checked that AppArmor no longer sends 'denied' log entries as seen in
#1004745 when using chronyd with timemaster.

[ Risks ]
Low. An equivalent fix sits in testing/unstable for over a month now without
any regression so far.

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
Adding a rule in the AppArmor profile to allow chronyd to read the
configuration file /run/timemaster/chrony.conf

Cheers,
Vincent

-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQSRJQjHKbAUfuoc+DAQn1qAt/bgAQUCYjEp0AAKCRAQn1qAt/bg
AT7sAQDwqm/E7R4J1CelQmf5dq9+BUU5BRzBxgboHwcfU6N1WwD/Scx21KLyOQdJ
89J1VMvMWWCQDPENpd8SLsVGwEDrPwY=
=L1xq
-----END PGP SIGNATURE-----

diff -Nru chrony-4.0/debian/changelog chrony-4.0/debian/changelog
--- chrony-4.0/debian/changelog	2021-10-19 22:02:40.000000000 +0200
+++ chrony-4.0/debian/changelog	2022-03-14 22:17:25.000000000 +0100
@@ -1,3 +1,11 @@
+chrony (4.0-8+deb11u2) bullseye; urgency=medium
+
+  * debian/usr.sbin.chronyd:
+    - Allow reading the chronyd configuration file that timemaster(8)
+    generates. Thanks to Michael Lestinsky for the report! (Closes: #1004745)
+
+ -- Vincent Blut <vincent.debian@free.fr>  Mon, 14 Mar 2022 22:17:25 +0100
+
 chrony (4.0-8+deb11u1) bullseye; urgency=medium
 
   * debian/patches/:
diff -Nru chrony-4.0/debian/usr.sbin.chronyd chrony-4.0/debian/usr.sbin.chronyd
--- chrony-4.0/debian/usr.sbin.chronyd	2021-10-19 22:02:40.000000000 +0200
+++ chrony-4.0/debian/usr.sbin.chronyd	2022-03-14 22:17:25.000000000 +0100
@@ -67,6 +67,9 @@
   /dev/pps[0-9]* rw,
   /dev/ptp[0-9]* rw,
 
+  # Allow reading the chronyd configuration file that timemaster(8) generates
+  @{run}/timemaster/chrony.conf r,
+
   # For use with clocks that report via shared memory (e.g. gpsd),
   # you may need to give ntpd access to all of shared memory, though
   # this can be considered dangerous. See https://launchpad.net/bugs/722815

Reply to:

Follow-Ups:
- Bug#1007747: bullseye-pu: package chrony/4.0-8+deb11u2
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Processed: Re: Bug#1007747: bullseye-pu: package chrony/4.0-8+deb11u2
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#1007747: chrony 4.0-8+deb11u2 flagged for acceptance
  - From: Adam D Barratt <adam@adam-barratt.org.uk>
- Bug#1007747: marked as done (bullseye-pu: package chrony/4.0-8+deb11u2)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Bug#1007746: buster-pu: package glibc/2.28-10+deb10u1
Next by Date: Bug#1006648: transition: numerical stack: slepc petsc hypre scotch scalapack
Previous by thread: Bug#1007746: marked as done (buster-pu: package glibc/2.28-10+deb10u1)
Next by thread: Bug#1007747: bullseye-pu: package chrony/4.0-8+deb11u2
Index(es):
- Date
- Thread