[apparmor] AppArmor and ntpd
Martin Burnicki
martin.burnicki at meinberg.de
Mon Dec 6 16:29:50 GMT 2010
Jamie Strandboge wrote:
> On Fri, 2010-12-03 at 13:23 +0100, Martin Burnicki wrote:
>>Hi all,
>>
>>I've just subscribed to the list because of a bug report on openSUSE's
>>bugzilla:
>>https://bugzilla.novell.com/show_bug.cgi?id=230700
>>
>>I'd just like to bring to your mind (or remind you) that an NTP daemon
>>running as stratum-1 time server usually needs to access a hardware
>>device it uses as reference time source. If a refclock is connected via
>>a serial port then the device node can be something like /dev/ttyS*, but
>>there are also PCI cards which come with an own driver providing special
>>device nodes to let ntpd read the ref time directly from the PCI card.
>>
>>For examples, the PCI cards manufactured by the company I'm working for
>>come with a driver which implements device nodes /dev/mbgclock*.
>>
>>So It would be great if the names of such devices could easily be
>>specified in an AppArmor profile for ntpd. AFAIK this is the case in the
>>current implementation, but as said above, I just wanted to be sure this
>>is kept in mind ... ;-)
>
> This sounds like a possible deficiency in the profile on OpenSUSE. The
> AppArmor profile in trunk has:
> #include <tunables/ntpd>
> /usr/sbin/ntpd {
> ...
> @{NTPD_DEVICE} rw,
> ...
>
> This allows you to use /etc/apparmor.d/tunables/ntpd to adjust to the
> device of your choosing.
Thanks, I've already seen this in the openSUSE's bugzilla. As said, just
wanted to be sure it's kept in mind that there are other devices than
ttyS* as well ...
Martin
--
Martin Burnicki
Meinberg Funkuhren
Bad Pyrmont
Germany
More information about the AppArmor
mailing list