Devuan bug report logs - #607
chrony: AppArmor profile needed between ISC dhcp client and chrony

Package: chrony; Severity: minor; Reported by: Steve Egbert <[email protected]>; Keywords: debian; Done: Mark Hindley <[email protected]>; Maintainer for chrony is (unknown).

Message received at [email protected]:

Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=193.36.131.86; helo=mx.hindley.org.uk; [email protected]; receiver=<UNKNOWN> 
Date: Wed, 15 Feb 2023 16:05:37 +0000
From: Mark Hindley <[email protected]>
To: Steve Egbert <[email protected]>, [email protected]
Subject: Re: bug#607: chrony: AppArmor profile needed between ISC dhcp client
 and chrony
Message-ID: <[email protected]>
References: <[email protected]>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <[email protected]>

Version: 4.0~pre4-1

Chrony now saves NTP servers configured over DHCP to /run/chrony-dhcp/$interface.sources.
I believe that resolves this issue.

Closing.

Mark

Notification sent to Steve Egbert <[email protected]>:
bug acknowledged by developer. Full text available.

Reply sent to Mark Hindley <[email protected]>:
You have taken responsibility. Full text available.

Message received at [email protected]:

Resent-From: Mark Hindley <[email protected]>
Resent-Date: Fri, 3 Sep 2021 10:12:13 +0100
Resent-Message-ID: <[email protected]>
Resent-To: [email protected]
Date: Fri, 3 Sep 2021 10:08:36 +0100
From: Mark Hindley <[email protected]>
To: Steve Egbert <[email protected]>, [email protected]
Subject: Re: bug#607: chrony: AppArmor profile needed between ISC dhcp client
 and chrony
Message-ID: <[email protected]>
References: <[email protected]>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <[email protected]>

Control: tags -1 debian

Steve,

Thanks for this.

On Thu, Sep 02, 2021 at 11:35:25AM -0400, Steve Egbert wrote:
> Package: chrony
> Version: 3.4-4+deb10u1
> Severity: minor
> Tags: d-i

Neither chrony nor isc-dhcp-client are forked packages and Devuan uses Debian's
packages directly without recompilation. Please report this issue to Debian's
BTS to be addressed.

Many thanks.

Mark

Information forwarded to [email protected], [email protected]:
bug#607; Package chrony. Full text available.

Added tag(s) debian. Request was from Mark Hindley <[email protected]> to [email protected]. Full text available.

Message received at [email protected]:

Received: (at 607) by bugs.devuan.org; 3 Sep 2021 09:10:02 +0000
Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: from tupac3.dyne.org [195.169.149.119]
	by doc.devuan.org with IMAP (fetchmail-6.4.0.beta4)
	for <debbugs@localhost> (single-drop); Fri, 03 Sep 2021 09:10:02 +0000 (UTC)
Received: from mx.hindley.org.uk (193-36-131-86.cfwn.uk [193.36.131.86])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by vm6.ganeti.dyne.org (Postfix) with ESMTPS id 59E4CF6085B
	for <[email protected]>; Fri,  3 Sep 2021 11:08:40 +0200 (CEST)
Received: from apollo.hindleynet ([192.168.1.3] helo=hindley.org.uk)
	by mx.hindley.org.uk with smtp (Exim 4.84_2)
	(envelope-from <[email protected]>)
	id 1mM5Bd-0001OB-3q; Fri, 03 Sep 2021 10:08:37 +0100
Received: (nullmailer pid 27438 invoked by uid 1000);
	Fri, 03 Sep 2021 09:08:36 -0000
Date: Fri, 3 Sep 2021 10:08:36 +0100
From: Mark Hindley <[email protected]>
To: Steve Egbert <[email protected]>, [email protected]
Subject: Re: bug#607: chrony: AppArmor profile needed between ISC dhcp client
 and chrony
Message-ID: <[email protected]>
References: <[email protected]>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <[email protected]>
X-Debbugs-No-Ack: No Thanks
X-Spam-Status: No, score=0.4 required=5.0 tests=RDNS_DYNAMIC,SPF_PASS
	autolearn=disabled version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on tupac3.dyne.org

Control: tags -1 debian

Steve,

Thanks for this.

On Thu, Sep 02, 2021 at 11:35:25AM -0400, Steve Egbert wrote:
> Package: chrony
> Version: 3.4-4+deb10u1
> Severity: minor
> Tags: d-i

Neither chrony nor isc-dhcp-client are forked packages and Devuan uses Debian's
packages directly without recompilation. Please report this issue to Debian's
BTS to be addressed.

Many thanks.

Mark

Information forwarded to [email protected], [email protected]:
bug#607; Package chrony. Full text available.

Message received at [email protected]:

Received: (at submit) by bugs.devuan.org; 2 Sep 2021 18:30:01 +0000
Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: from tupac3.dyne.org [195.169.149.119]
	by doc.devuan.org with IMAP (fetchmail-6.4.0.beta4)
	for <debbugs@localhost> (single-drop); Thu, 02 Sep 2021 18:30:01 +0000 (UTC)
Received: from circa.leo (pool-71-121-183-2.bltmmd.fios.verizon.net [71.121.183.2])
	by vm6.ganeti.dyne.org (Postfix) with ESMTP id 36593F609E6
	for <[email protected]>; Thu,  2 Sep 2021 17:35:29 +0200 (CEST)
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Steve Egbert <[email protected]>
To: Devuan Bug Tracking System <[email protected]>
Subject: chrony: AppArmor profile needed between ISC dhcp client and chrony
Message-ID: <[email protected]>
Date: Thu, 02 Sep 2021 11:35:25 -0400
X-Debbugs-Cc: [email protected]
X-Spam-Status: No, score=3.9 required=5.0 tests=RCVD_IN_PBL,RCVD_IN_SORBS_DUL,
	RDNS_DYNAMIC autolearn=disabled version=3.4.2
X-Spam-Level: ***
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on tupac3.dyne.org

Package: chrony
Version: 3.4-4+deb10u1
Severity: minor
Tags: d-i

Dear Maintainer,

*** Reporter, please consider answering these questions, where appropriate ***

   * What led up to the situation?
   * What exactly did you do (or not do) that was effective (or
     ineffective)?
   * What was the outcome of this action?
   * What outcome did you expect instead?

*** End of the template - remove these template lines ***


This chronyd daemon configuration-reading 
bug (/etc/chrony/chrony.conf) occurs ONLY when 
using ALL of the following:

   * dhclient (ISC DHCP client)
   * chrony   (Chrony NTP time server)
   * apparmor (Application Armor)

WHAT DID I DO?

I merely installed the following those 3 packages:

   apt install isc-dhcp-client chrony apparmor

The NTP server IP address(es) supplied by 
a (remote) DHCP server gets written 
into /var/lib/dhcp/chrony.server.eth1 file
and later read by chronyd daemon at startup.

OUTCOME

AppArmor reported that a file permission error 
while chronyd daemon was reading the 
/var/lib/dhcp/chrony.server.eth1 file.

WORKAROUND

Adding the following two files into /etc/apparmor.d/local
fixes this problem.

/etc/apparmor.d/local/sbin.dhclient.chronyd

    /var/lib/dhcp/chrony.server.* wrix,

/etc/apparmor.d/local/usr.sbin.chronyd.dhclient

    /var/lib/dhcp/chrony.server.* r,

then reload the AppArmor

    /etc/init.d/apparmor reload
    ifdown eth1
    ifup eth1
    ip addr list eth1


CONCLUSION

Ideally, two things probably needs to happen:

1.  Move (yet NOT append, but kept separate) those local 
    (but inter-package-related) apparmor files out of
    the local subdirectory and into the corresponding main 
    AppArmor config direcetory found in the 
    /etc/apparmor.d/ subdirectory

2.  During Debian post install scripting, some kind of
    dependency logic is required to do both removal and
    addition of those two AppArmor files depending on:

    A.  Both chrony and isc-dhcp-client are installed: install
        these two AppArmor files.

    B.  Only chrony are installed: check if isc-dhcp-client
        package is not installed, then remove the two AppArmor 
        inter-package-specific files.

    C.  Only isc-dhcp-client are installed: check if chrony
        package is not installed, then remove the two
        AppArmor inter-package files.

    D.  If 'apt purge' is used, always purge these two files.


Since chronyd is on the receiving end of this NTP
server IP address information, it would make more sense
to place the isc-dhcp-client/chrony inter-package 
dependency logic inside the chrony package (unless
there is some grander Debian design of handling
AppArmor that I am not aware of).

-- System Information:
Distributor ID:	Devuan
Description:	Devuan GNU/Linux 3 (beowulf)
Release:	3
Codename:	beowulf
Architecture: x86_64

Kernel: Linux 5.10.46d1-no-mod-minfs (SMP w/4 CPU cores)
Kernel taint flags: TAINT_WARN
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
LSM: AppArmor: enabled

Versions of packages chrony depends on:
ii  adduser              3.118
ii  init-system-helpers  1.56+nmu1+devuan3
ii  iproute2             4.20.0-2+deb10u1
ii  libc6                2.28-10
ii  libcap2              1:2.25-2
ii  libedit2             3.1-20181209-1
ii  libnettle6           3.4.1-1+deb10u1
ii  libseccomp2          2.3.3-4
ii  lsb-base             10.2019051400
ii  ucf                  3.0038+nmu1

chrony recommends no packages.

Versions of packages chrony suggests:
ii  bind9-dnsutils [dnsutils]  1:9.16.15-1~bpo10+1
pn  networkd-dispatcher        <none>

-- no debconf information

Acknowledgement sent to Steve Egbert <[email protected]>:
New bug report received and forwarded. Copy sent to [email protected], [email protected]. Full text available.

Report forwarded to [email protected], [email protected], [email protected]:
bug#607; Package chrony. Full text available.

Devuan bug report logs - #607 chrony: AppArmor profile needed between ISC dhcp client and chrony

Message received at [email protected]:

Message received at [email protected]:

Message received at [email protected]:

Message received at [email protected]:

Devuan bug report logs - #607
chrony: AppArmor profile needed between ISC dhcp client and chrony