Devuan logs - #607, boring messages

Message sent to [email protected], [email protected], [email protected]:

Subject: bug#607: chrony: AppArmor profile needed between ISC dhcp client and chrony
Reply-To: Steve Egbert <[email protected]>, [email protected]
Resent-From: Steve Egbert <[email protected]>
Resent-To: [email protected]
Resent-CC: [email protected], [email protected]
Resent-Date: Thu, 02 Sep 2021 18:32:02 +0000
Resent-Message-ID: <[email protected]>
Resent-Sender: [email protected]
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Steve Egbert <[email protected]>
To: Devuan Bug Tracking System <[email protected]>
Message-ID: <[email protected]>
Date: Thu, 02 Sep 2021 11:35:25 -0400

Package: chrony
Version: 3.4-4+deb10u1
Severity: minor
Tags: d-i

Dear Maintainer,

*** Reporter, please consider answering these questions, where appropriate ***

   * What led up to the situation?
   * What exactly did you do (or not do) that was effective (or
     ineffective)?
   * What was the outcome of this action?
   * What outcome did you expect instead?

*** End of the template - remove these template lines ***


This chronyd daemon configuration-reading 
bug (/etc/chrony/chrony.conf) occurs ONLY when 
using ALL of the following:

   * dhclient (ISC DHCP client)
   * chrony   (Chrony NTP time server)
   * apparmor (Application Armor)

WHAT DID I DO?

I merely installed the following those 3 packages:

   apt install isc-dhcp-client chrony apparmor

The NTP server IP address(es) supplied by 
a (remote) DHCP server gets written 
into /var/lib/dhcp/chrony.server.eth1 file
and later read by chronyd daemon at startup.

OUTCOME

AppArmor reported that a file permission error 
while chronyd daemon was reading the 
/var/lib/dhcp/chrony.server.eth1 file.

WORKAROUND

Adding the following two files into /etc/apparmor.d/local
fixes this problem.

/etc/apparmor.d/local/sbin.dhclient.chronyd

    /var/lib/dhcp/chrony.server.* wrix,

/etc/apparmor.d/local/usr.sbin.chronyd.dhclient

    /var/lib/dhcp/chrony.server.* r,

then reload the AppArmor

    /etc/init.d/apparmor reload
    ifdown eth1
    ifup eth1
    ip addr list eth1


CONCLUSION

Ideally, two things probably needs to happen:

1.  Move (yet NOT append, but kept separate) those local 
    (but inter-package-related) apparmor files out of
    the local subdirectory and into the corresponding main 
    AppArmor config direcetory found in the 
    /etc/apparmor.d/ subdirectory

2.  During Debian post install scripting, some kind of
    dependency logic is required to do both removal and
    addition of those two AppArmor files depending on:

    A.  Both chrony and isc-dhcp-client are installed: install
        these two AppArmor files.

    B.  Only chrony are installed: check if isc-dhcp-client
        package is not installed, then remove the two AppArmor 
        inter-package-specific files.

    C.  Only isc-dhcp-client are installed: check if chrony
        package is not installed, then remove the two
        AppArmor inter-package files.

    D.  If 'apt purge' is used, always purge these two files.


Since chronyd is on the receiving end of this NTP
server IP address information, it would make more sense
to place the isc-dhcp-client/chrony inter-package 
dependency logic inside the chrony package (unless
there is some grander Debian design of handling
AppArmor that I am not aware of).

-- System Information:
Distributor ID:	Devuan
Description:	Devuan GNU/Linux 3 (beowulf)
Release:	3
Codename:	beowulf
Architecture: x86_64

Kernel: Linux 5.10.46d1-no-mod-minfs (SMP w/4 CPU cores)
Kernel taint flags: TAINT_WARN
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
LSM: AppArmor: enabled

Versions of packages chrony depends on:
ii  adduser              3.118
ii  init-system-helpers  1.56+nmu1+devuan3
ii  iproute2             4.20.0-2+deb10u1
ii  libc6                2.28-10
ii  libcap2              1:2.25-2
ii  libedit2             3.1-20181209-1
ii  libnettle6           3.4.1-1+deb10u1
ii  libseccomp2          2.3.3-4
ii  lsb-base             10.2019051400
ii  ucf                  3.0038+nmu1

chrony recommends no packages.

Versions of packages chrony suggests:
ii  bind9-dnsutils [dnsutils]  1:9.16.15-1~bpo10+1
pn  networkd-dispatcher        <none>

-- no debconf information

Message sent:

Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Mailer: MIME-tools 5.509 (Entity 5.509)
Content-Type: text/plain; charset=utf-8
X-Loop: [email protected]
From: "Devuan bug Tracking System" <[email protected]>
To: Steve Egbert <[email protected]>
Subject: bug#607: Acknowledgement (chrony: AppArmor profile needed between
 ISC dhcp client and chrony)
Message-ID: <[email protected]>
References: <[email protected]>
X-Devuan-PR-Message: ack 607
X-Devuan-PR-Package: chrony
Reply-To: [email protected]
Date: Thu, 02 Sep 2021 18:32:06 +0000

Thank you for filing a new bug report with Devuan.

You can follow progress on this bug here: 607: https://bugs.devuan.org/cgi/=
bugreport.cgi?bug=3D607.

This is an automatically generated reply to let you know your message
has been received.

Your message is being forwarded to the package maintainers and other
interested parties for their attention; they will reply in due course.

As you requested using X-Debbugs-CC, your message was also forwarded to
  [email protected]
(after having been given a bug report number, if it did not have one).

Your message has been sent to the package maintainer(s):
 [email protected]

If you wish to submit further information on this problem, please
send it to [email protected].

Please do not send mail to [email protected] unless you wish
to report a problem with the Bug-tracking system.

--=20
607: https://bugs.devuan.org/cgi/bugreport.cgi?bug=3D607
Devuan Bug Tracking System
Contact [email protected] with problems

Message sent to [email protected], [email protected]:

Subject: bug#607: chrony: AppArmor profile needed between ISC dhcp client and chrony
Reply-To: Mark Hindley <[email protected]>, [email protected]
Resent-From: Mark Hindley <[email protected]>
Resent-To: [email protected]
Resent-CC: [email protected]
Resent-Date: Fri, 03 Sep 2021 09:12:02 +0000
Resent-Message-ID: <[email protected]>
Resent-Sender: [email protected]
References: <[email protected]> <[email protected]>
Date: Fri, 3 Sep 2021 10:08:36 +0100
From: Mark Hindley <[email protected]>
To: Steve Egbert <[email protected]>, [email protected]
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <[email protected]>

Control: tags -1 debian

Steve,

Thanks for this.

On Thu, Sep 02, 2021 at 11:35:25AM -0400, Steve Egbert wrote:
> Package: chrony
> Version: 3.4-4+deb10u1
> Severity: minor
> Tags: d-i

Neither chrony nor isc-dhcp-client are forked packages and Devuan uses Debian's
packages directly without recompilation. Please report this issue to Debian's
BTS to be addressed.

Many thanks.

Mark

Message received at [email protected]:

Date: Fri, 3 Sep 2021 10:08:36 +0100
From: Mark Hindley <[email protected]>
To: Steve Egbert <[email protected]>, [email protected]
Subject: Re: bug#607: chrony: AppArmor profile needed between ISC dhcp client
 and chrony
Message-ID: <[email protected]>
References: <[email protected]>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <[email protected]>

Control: tags -1 debian

Steve,

Thanks for this.

On Thu, Sep 02, 2021 at 11:35:25AM -0400, Steve Egbert wrote:
> Package: chrony
> Version: 3.4-4+deb10u1
> Severity: minor
> Tags: d-i

Neither chrony nor isc-dhcp-client are forked packages and Devuan uses Debian's
packages directly without recompilation. Please report this issue to Debian's
BTS to be addressed.

Many thanks.

Mark

Message sent to [email protected], [email protected]:

X-Loop: [email protected]
Subject: bug#607: chrony: AppArmor profile needed between ISC dhcp client and chrony
Reply-To: Mark Hindley <[email protected]>, [email protected]
Resent-From: Mark Hindley <[email protected]>
Resent-To: [email protected]
Resent-CC: [email protected]
X-Loop: [email protected]
Resent-Date: Fri, 03 Sep 2021 09:22:01 +0000
Resent-Message-ID: <[email protected]>
Resent-Sender: [email protected]
X-Devuan-PR-Message: followup 607
X-Devuan-PR-Package: chrony
X-Devuan-PR-Keywords: debian
References: <[email protected]> <[email protected]>
Received: via spool by [email protected] id=B607.16306608024176
          (code B ref 607); Fri, 03 Sep 2021 09:22:01 +0000
Received: (at 607) by bugs.devuan.org; 3 Sep 2021 09:20:02 +0000
Delivered-To: [email protected]
Received: from tupac3.dyne.org [195.169.149.119]
	by doc.devuan.org with IMAP (fetchmail-6.4.0.beta4)
	for <debbugs@localhost> (single-drop); Fri, 03 Sep 2021 09:20:02 +0000 (UTC)
Received: from mx.hindley.org.uk (193-36-131-86.cfwn.uk [193.36.131.86])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by vm6.ganeti.dyne.org (Postfix) with ESMTPS id DFD86F60A26
	for <[email protected]>; Fri,  3 Sep 2021 11:12:14 +0200 (CEST)
Received: from apollo.hindleynet ([192.168.1.3] helo=hindley.org.uk)
	by mx.hindley.org.uk with smtp (Exim 4.84_2)
	(envelope-from <[email protected]>)
	id 1mM5F7-0001QU-8s
	for [email protected]; Fri, 03 Sep 2021 10:12:13 +0100
Received: (nullmailer pid 27746 invoked by uid 1000);
	Fri, 03 Sep 2021 09:12:13 -0000
Resent-From: Mark Hindley <[email protected]>
Resent-Date: Fri, 3 Sep 2021 10:12:13 +0100
Resent-Message-ID: <[email protected]>
Resent-To: [email protected]
Date: Fri, 3 Sep 2021 10:08:36 +0100
From: Mark Hindley <[email protected]>
To: Steve Egbert <[email protected]>, [email protected]
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <[email protected]>
X-UID: 5014                                                  
X-Spam-Status: No, score=0.4 required=5.0 tests=RDNS_DYNAMIC,SPF_PASS
	autolearn=disabled version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on tupac3.dyne.org

Control: tags -1 debian

Steve,

Thanks for this.

On Thu, Sep 02, 2021 at 11:35:25AM -0400, Steve Egbert wrote:
> Package: chrony
> Version: 3.4-4+deb10u1
> Severity: minor
> Tags: d-i

Neither chrony nor isc-dhcp-client are forked packages and Devuan uses Debian's
packages directly without recompilation. Please report this issue to Debian's
BTS to be addressed.

Many thanks.

Mark

Message sent:

MIME-Version: 1.0
X-Mailer: MIME-tools 5.509 (Entity 5.509)
X-Loop: [email protected]
From: "Devuan bug Tracking System" <[email protected]>
To: Mark Hindley <[email protected]>
Subject: bug#607: marked as done (chrony: AppArmor profile needed between
 ISC dhcp client and chrony)
Message-ID: <[email protected]>
References: <[email protected]>
 <[email protected]>
X-Devuan-PR-Message: closed 607
X-Devuan-PR-Package: chrony
X-Devuan-PR-Keywords: debian
Reply-To: [email protected]
Date: Wed, 15 Feb 2023 16:08:02 +0000
Content-Type: multipart/mixed; boundary="----------=_1676477282-24141-0"

This is a multi-part message in MIME format...

------------=_1676477282-24141-0
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Your message dated Wed, 15 Feb 2023 16:05:37 +0000
with message-id <[email protected]>
and subject line Re: bug#607: chrony: AppArmor profile needed between ISC d=
hcp client and chrony
has caused the Devuan bug report #607,
regarding chrony: AppArmor profile needed between ISC dhcp client and chrony
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


--=20
607: https://bugs.devuan.org/cgi/bugreport.cgi?bug=3D607
Devuan Bug Tracking System
Contact [email protected] with problems

------------=_1676477282-24141-0
Content-Type: message/rfc822
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

Received: (at submit) by bugs.devuan.org; 2 Sep 2021 18:30:01 +0000
Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: from tupac3.dyne.org [195.169.149.119]
	by doc.devuan.org with IMAP (fetchmail-6.4.0.beta4)
	for <debbugs@localhost> (single-drop); Thu, 02 Sep 2021 18:30:01 +0000 (UTC)
Received: from circa.leo (pool-71-121-183-2.bltmmd.fios.verizon.net [71.121.183.2])
	by vm6.ganeti.dyne.org (Postfix) with ESMTP id 36593F609E6
	for <[email protected]>; Thu,  2 Sep 2021 17:35:29 +0200 (CEST)
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Steve Egbert <[email protected]>
To: Devuan Bug Tracking System <[email protected]>
Subject: chrony: AppArmor profile needed between ISC dhcp client and chrony
Message-ID: <[email protected]>
Date: Thu, 02 Sep 2021 11:35:25 -0400
X-Debbugs-Cc: [email protected]
X-Spam-Status: No, score=3.9 required=5.0 tests=RCVD_IN_PBL,RCVD_IN_SORBS_DUL,
	RDNS_DYNAMIC autolearn=disabled version=3.4.2
X-Spam-Level: ***
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on tupac3.dyne.org

Package: chrony
Version: 3.4-4+deb10u1
Severity: minor
Tags: d-i

Dear Maintainer,

*** Reporter, please consider answering these questions, where appropriate ***

   * What led up to the situation?
   * What exactly did you do (or not do) that was effective (or
     ineffective)?
   * What was the outcome of this action?
   * What outcome did you expect instead?

*** End of the template - remove these template lines ***


This chronyd daemon configuration-reading 
bug (/etc/chrony/chrony.conf) occurs ONLY when 
using ALL of the following:

   * dhclient (ISC DHCP client)
   * chrony   (Chrony NTP time server)
   * apparmor (Application Armor)

WHAT DID I DO?

I merely installed the following those 3 packages:

   apt install isc-dhcp-client chrony apparmor

The NTP server IP address(es) supplied by 
a (remote) DHCP server gets written 
into /var/lib/dhcp/chrony.server.eth1 file
and later read by chronyd daemon at startup.

OUTCOME

AppArmor reported that a file permission error 
while chronyd daemon was reading the 
/var/lib/dhcp/chrony.server.eth1 file.

WORKAROUND

Adding the following two files into /etc/apparmor.d/local
fixes this problem.

/etc/apparmor.d/local/sbin.dhclient.chronyd

    /var/lib/dhcp/chrony.server.* wrix,

/etc/apparmor.d/local/usr.sbin.chronyd.dhclient

    /var/lib/dhcp/chrony.server.* r,

then reload the AppArmor

    /etc/init.d/apparmor reload
    ifdown eth1
    ifup eth1
    ip addr list eth1


CONCLUSION

Ideally, two things probably needs to happen:

1.  Move (yet NOT append, but kept separate) those local 
    (but inter-package-related) apparmor files out of
    the local subdirectory and into the corresponding main 
    AppArmor config direcetory found in the 
    /etc/apparmor.d/ subdirectory

2.  During Debian post install scripting, some kind of
    dependency logic is required to do both removal and
    addition of those two AppArmor files depending on:

    A.  Both chrony and isc-dhcp-client are installed: install
        these two AppArmor files.

    B.  Only chrony are installed: check if isc-dhcp-client
        package is not installed, then remove the two AppArmor 
        inter-package-specific files.

    C.  Only isc-dhcp-client are installed: check if chrony
        package is not installed, then remove the two
        AppArmor inter-package files.

    D.  If 'apt purge' is used, always purge these two files.


Since chronyd is on the receiving end of this NTP
server IP address information, it would make more sense
to place the isc-dhcp-client/chrony inter-package 
dependency logic inside the chrony package (unless
there is some grander Debian design of handling
AppArmor that I am not aware of).

-- System Information:
Distributor ID:	Devuan
Description:	Devuan GNU/Linux 3 (beowulf)
Release:	3
Codename:	beowulf
Architecture: x86_64

Kernel: Linux 5.10.46d1-no-mod-minfs (SMP w/4 CPU cores)
Kernel taint flags: TAINT_WARN
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
LSM: AppArmor: enabled

Versions of packages chrony depends on:
ii  adduser              3.118
ii  init-system-helpers  1.56+nmu1+devuan3
ii  iproute2             4.20.0-2+deb10u1
ii  libc6                2.28-10
ii  libcap2              1:2.25-2
ii  libedit2             3.1-20181209-1
ii  libnettle6           3.4.1-1+deb10u1
ii  libseccomp2          2.3.3-4
ii  lsb-base             10.2019051400
ii  ucf                  3.0038+nmu1

chrony recommends no packages.

Versions of packages chrony suggests:
ii  bind9-dnsutils [dnsutils]  1:9.16.15-1~bpo10+1
pn  networkd-dispatcher        <none>

-- no debconf information

------------=_1676477282-24141-0
Content-Type: message/rfc822
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

Received: (at 607-done) by bugs.devuan.org; 15 Feb 2023 16:06:02 +0000
Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: from email.devuan.org [2001:41d0:2:d06e::5c4:2612]
	by doc.devuan.org with IMAP (fetchmail-6.4.16)
	for <debbugs@localhost> (single-drop); Wed, 15 Feb 2023 16:06:02 +0000 (UTC)
Received: from email.devuan.org
	by email.devuan.org with LMTP
	id TodHONQC7WMgFwAAmSBk0A
	(envelope-from <[email protected]>)
	for <[email protected]>; Wed, 15 Feb 2023 16:05:40 +0000
Received: by email.devuan.org (Postfix, from userid 109)
	id D458EA1; Wed, 15 Feb 2023 16:05:40 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on email.devuan.org
X-Spam-Level: 
X-Spam-Status: No, score=0.4 required=5.0 tests=RDNS_DYNAMIC,SPF_PASS
	autolearn=no autolearn_force=no version=3.4.6
Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=193.36.131.86; helo=mx.hindley.org.uk; [email protected]; receiver=<UNKNOWN> 
Received: from mx.hindley.org.uk (193-36-131-86.cfwn.uk [193.36.131.86])
	by email.devuan.org (Postfix) with ESMTPS id EBA929F
	for <[email protected]>; Wed, 15 Feb 2023 16:05:39 +0000 (UTC)
Received: from apollo.hindleynet ([192.168.1.3] helo=hindley.org.uk)
	by mx.hindley.org.uk with smtp (Exim 4.84_2)
	(envelope-from <[email protected]>)
	id 1pSKHp-0005la-Tx; Wed, 15 Feb 2023 16:05:38 +0000
Received: (nullmailer pid 17245 invoked by uid 1000);
	Wed, 15 Feb 2023 16:05:37 -0000
Date: Wed, 15 Feb 2023 16:05:37 +0000
From: Mark Hindley <[email protected]>
To: Steve Egbert <[email protected]>, [email protected]
Subject: Re: bug#607: chrony: AppArmor profile needed between ISC dhcp client
 and chrony
Message-ID: <[email protected]>
References: <[email protected]>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <[email protected]>
X-Debbugs-No-Ack: No Thanks

Version: 4.0~pre4-1

Chrony now saves NTP servers configured over DHCP to /run/chrony-dhcp/$interface.sources.
I believe that resolves this issue.

Closing.

Mark
------------=_1676477282-24141-0--

Message sent:

MIME-Version: 1.0
X-Mailer: MIME-tools 5.509 (Entity 5.509)
X-Loop: [email protected]
From: "Devuan bug Tracking System" <[email protected]>
To: Steve Egbert <[email protected]>
Subject: bug#607 closed by Mark Hindley <[email protected]> (Re:
 bug#607: chrony: AppArmor profile needed between ISC dhcp client and
 chrony)
Message-ID: <[email protected]>
References: <[email protected]>
 <[email protected]>
X-Devuan-PR-Message: they-closed 607
X-Devuan-PR-Package: chrony
X-Devuan-PR-Keywords: debian
Reply-To: [email protected]
Date: Wed, 15 Feb 2023 16:08:03 +0000
Content-Type: multipart/mixed; boundary="----------=_1676477283-24141-1"

This is a multi-part message in MIME format...

------------=_1676477283-24141-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

This is an automatic notification regarding your bug report
which was filed against the chrony package:

#607: chrony: AppArmor profile needed between ISC dhcp client and chrony

It has been closed by Mark Hindley <[email protected]>.

Their explanation is attached below along with your original report.
If this explanation is unsatisfactory and you have not received a
better one in a separate message then please contact Mark Hindley <mark@hin=
dley.org.uk> by
replying to this email.


--=20
607: https://bugs.devuan.org/cgi/bugreport.cgi?bug=3D607
Devuan Bug Tracking System
Contact [email protected] with problems

------------=_1676477283-24141-1
Content-Type: message/rfc822
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

Received: (at 607-done) by bugs.devuan.org; 15 Feb 2023 16:06:02 +0000
Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: from email.devuan.org [2001:41d0:2:d06e::5c4:2612]
	by doc.devuan.org with IMAP (fetchmail-6.4.16)
	for <debbugs@localhost> (single-drop); Wed, 15 Feb 2023 16:06:02 +0000 (UTC)
Received: from email.devuan.org
	by email.devuan.org with LMTP
	id TodHONQC7WMgFwAAmSBk0A
	(envelope-from <[email protected]>)
	for <[email protected]>; Wed, 15 Feb 2023 16:05:40 +0000
Received: by email.devuan.org (Postfix, from userid 109)
	id D458EA1; Wed, 15 Feb 2023 16:05:40 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on email.devuan.org
X-Spam-Level: 
X-Spam-Status: No, score=0.4 required=5.0 tests=RDNS_DYNAMIC,SPF_PASS
	autolearn=no autolearn_force=no version=3.4.6
Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=193.36.131.86; helo=mx.hindley.org.uk; [email protected]; receiver=<UNKNOWN> 
Received: from mx.hindley.org.uk (193-36-131-86.cfwn.uk [193.36.131.86])
	by email.devuan.org (Postfix) with ESMTPS id EBA929F
	for <[email protected]>; Wed, 15 Feb 2023 16:05:39 +0000 (UTC)
Received: from apollo.hindleynet ([192.168.1.3] helo=hindley.org.uk)
	by mx.hindley.org.uk with smtp (Exim 4.84_2)
	(envelope-from <[email protected]>)
	id 1pSKHp-0005la-Tx; Wed, 15 Feb 2023 16:05:38 +0000
Received: (nullmailer pid 17245 invoked by uid 1000);
	Wed, 15 Feb 2023 16:05:37 -0000
Date: Wed, 15 Feb 2023 16:05:37 +0000
From: Mark Hindley <[email protected]>
To: Steve Egbert <[email protected]>, [email protected]
Subject: Re: bug#607: chrony: AppArmor profile needed between ISC dhcp client
 and chrony
Message-ID: <[email protected]>
References: <[email protected]>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <[email protected]>
X-Debbugs-No-Ack: No Thanks

Version: 4.0~pre4-1

Chrony now saves NTP servers configured over DHCP to /run/chrony-dhcp/$interface.sources.
I believe that resolves this issue.

Closing.

Mark
------------=_1676477283-24141-1
Content-Type: message/rfc822
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

Received: (at submit) by bugs.devuan.org; 2 Sep 2021 18:30:01 +0000
Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: from tupac3.dyne.org [195.169.149.119]
	by doc.devuan.org with IMAP (fetchmail-6.4.0.beta4)
	for <debbugs@localhost> (single-drop); Thu, 02 Sep 2021 18:30:01 +0000 (UTC)
Received: from circa.leo (pool-71-121-183-2.bltmmd.fios.verizon.net [71.121.183.2])
	by vm6.ganeti.dyne.org (Postfix) with ESMTP id 36593F609E6
	for <[email protected]>; Thu,  2 Sep 2021 17:35:29 +0200 (CEST)
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Steve Egbert <[email protected]>
To: Devuan Bug Tracking System <[email protected]>
Subject: chrony: AppArmor profile needed between ISC dhcp client and chrony
Message-ID: <[email protected]>
Date: Thu, 02 Sep 2021 11:35:25 -0400
X-Debbugs-Cc: [email protected]
X-Spam-Status: No, score=3.9 required=5.0 tests=RCVD_IN_PBL,RCVD_IN_SORBS_DUL,
	RDNS_DYNAMIC autolearn=disabled version=3.4.2
X-Spam-Level: ***
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on tupac3.dyne.org

Package: chrony
Version: 3.4-4+deb10u1
Severity: minor
Tags: d-i

Dear Maintainer,

*** Reporter, please consider answering these questions, where appropriate ***

   * What led up to the situation?
   * What exactly did you do (or not do) that was effective (or
     ineffective)?
   * What was the outcome of this action?
   * What outcome did you expect instead?

*** End of the template - remove these template lines ***


This chronyd daemon configuration-reading 
bug (/etc/chrony/chrony.conf) occurs ONLY when 
using ALL of the following:

   * dhclient (ISC DHCP client)
   * chrony   (Chrony NTP time server)
   * apparmor (Application Armor)

WHAT DID I DO?

I merely installed the following those 3 packages:

   apt install isc-dhcp-client chrony apparmor

The NTP server IP address(es) supplied by 
a (remote) DHCP server gets written 
into /var/lib/dhcp/chrony.server.eth1 file
and later read by chronyd daemon at startup.

OUTCOME

AppArmor reported that a file permission error 
while chronyd daemon was reading the 
/var/lib/dhcp/chrony.server.eth1 file.

WORKAROUND

Adding the following two files into /etc/apparmor.d/local
fixes this problem.

/etc/apparmor.d/local/sbin.dhclient.chronyd

    /var/lib/dhcp/chrony.server.* wrix,

/etc/apparmor.d/local/usr.sbin.chronyd.dhclient

    /var/lib/dhcp/chrony.server.* r,

then reload the AppArmor

    /etc/init.d/apparmor reload
    ifdown eth1
    ifup eth1
    ip addr list eth1


CONCLUSION

Ideally, two things probably needs to happen:

1.  Move (yet NOT append, but kept separate) those local 
    (but inter-package-related) apparmor files out of
    the local subdirectory and into the corresponding main 
    AppArmor config direcetory found in the 
    /etc/apparmor.d/ subdirectory

2.  During Debian post install scripting, some kind of
    dependency logic is required to do both removal and
    addition of those two AppArmor files depending on:

    A.  Both chrony and isc-dhcp-client are installed: install
        these two AppArmor files.

    B.  Only chrony are installed: check if isc-dhcp-client
        package is not installed, then remove the two AppArmor 
        inter-package-specific files.

    C.  Only isc-dhcp-client are installed: check if chrony
        package is not installed, then remove the two
        AppArmor inter-package files.

    D.  If 'apt purge' is used, always purge these two files.


Since chronyd is on the receiving end of this NTP
server IP address information, it would make more sense
to place the isc-dhcp-client/chrony inter-package 
dependency logic inside the chrony package (unless
there is some grander Debian design of handling
AppArmor that I am not aware of).

-- System Information:
Distributor ID:	Devuan
Description:	Devuan GNU/Linux 3 (beowulf)
Release:	3
Codename:	beowulf
Architecture: x86_64

Kernel: Linux 5.10.46d1-no-mod-minfs (SMP w/4 CPU cores)
Kernel taint flags: TAINT_WARN
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
LSM: AppArmor: enabled

Versions of packages chrony depends on:
ii  adduser              3.118
ii  init-system-helpers  1.56+nmu1+devuan3
ii  iproute2             4.20.0-2+deb10u1
ii  libc6                2.28-10
ii  libcap2              1:2.25-2
ii  libedit2             3.1-20181209-1
ii  libnettle6           3.4.1-1+deb10u1
ii  libseccomp2          2.3.3-4
ii  lsb-base             10.2019051400
ii  ucf                  3.0038+nmu1

chrony recommends no packages.

Versions of packages chrony suggests:
ii  bind9-dnsutils [dnsutils]  1:9.16.15-1~bpo10+1
pn  networkd-dispatcher        <none>

-- no debconf information

------------=_1676477283-24141-1--