[apparmor] AppArmor and ntpd

Martin Burnicki martin.burnicki at meinberg.de
Tue Dec 7 08:49:01 GMT 2010


John Johansen wrote:
> On 12/06/2010 08:38 AM, Martin Burnicki wrote:
[...]
>>Maybe it could be better to use /dev/refclock-* as a default. These are
>>usually symlinks used by ntpd's parse driver which point to real
>>/dev/ttyS* devices, if used by ntpd, and even if /dev/mbgclock* is used
>>by ntpd it is accesssed via a /dev/refclock-* symlink.
>>
> Well the symlink is actually problematic, in that apparmor's rules and
> mediation are post symlink resolution.

OK. I'm not yet too familiar with details how AppArmor works.

> You could add an alias rule, but in this case that is not really any
> better than the variable, as you have to know what the target of the
> symlink is.

Agreed.


Thanks,

Martin
-- 
Martin Burnicki

Meinberg Funkuhren
Bad Pyrmont
Germany



More information about the AppArmor mailing list