[apparmor] [patch] Allow ntpd to read directory listings of $PATH
Christian Boltz
apparmor at cboltz.de
Tue Aug 25 12:16:14 UTC 2015
Hello,
for some (unclear) reason, ntpd reads the directory listings of
directories in $PATH (/bin/, /sbin, /usr/bin, ...).
Note that I have no idea why it does that - insights welcome ;-)
Also, ntpd seems to work without those permissions, so we might want
to change the added rule to "deny".
[ profiles-ntpd-path-dirlist.diff ]
=== modified file 'profiles/apparmor.d/usr.sbin.ntpd'
--- profiles/apparmor.d/usr.sbin.ntpd 2015-05-18 23:20:49 +0000
+++ profiles/apparmor.d/usr.sbin.ntpd 2015-08-25 12:02:18 +0000
@@ -37,6 +37,7 @@
/etc/ntpd.conf.tmp r,
/tmp/ntp* rwl,
+ /{usr/,usr/local/,}{s,}bin/ r,
/usr/sbin/ntpd rmix,
/var/lib/ntp/drift rwl,
/var/lib/ntp/drift.TEMP rwl,
Regards,
Christian Boltz
--
> Be aware that a s390x / and most ppc64 are not a smart phones
> nor net books.
They just don't fit into the pocket. :)
[> Dr. Werner Fink and Kay Sievers in opensuse-factory]
More information about the AppArmor
mailing list