[Bug 1205875] [NEW] apparmor.d profile for usr.sbin.ntpd -- access to samba gencache and capability block_suspend

[J G Miller]

Public bug reported:

PRETTY_NAME="Ubuntu quantal (12.10)"
VERSION="12.10, Quantal Quetzal"

Package: ntp
Priority: optional
Section: net
Installed-Size: 1384
Origin: Ubuntu
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Bugs: https://bugs.launchpad.net/ubuntu/+filebug
Architecture: i386
Version: 1:4.2.6.p3+dfsg-1ubuntu5

In the system auth log files and dmesg the following apparmor messages
are seen --

type=1400 audit(1375004313.012:40): apparmor="DENIED" operation="open"
parent=1 profile="/usr/sbin/ntpd" name="/run/samba/gencache.tdb"
pid=2540 comm="ntpd" requested_mask="wc" denied_mask="wc" fsuid=0 ouid=0

type=1400 audit(1375004313.016:41): apparmor="DENIED"
operation="capable" parent=1 profile="/usr/sbin/ntpd" pid=2540
comm="ntpd" pid=2540 comm="ntpd" capability=36  capname="block_suspend"

type=1400 audit(1375004322.652:42): apparmor="DENIED"
operation="capable" parent=1 profile="/usr/sbin/ntpd" pid=2540
comm="ntpd" pid=2540 comm="ntpd" capability=36  capname="block_suspend"


Does ntpd really need WRITE privileges on /run/samba/gencache.tdb ?   Should not READ be sufficient?

Also why does ntpd need block_suspend capability?

At a minimum read access to the gencache should be enabled for ntp in
its profile, and probably read+write in the samba profile which is also
missing  for usr.sbin.smbd in the samba  2:3.6.6-3ubuntu5 package.

** Affects: ntp (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to ntp in Ubuntu.
https://bugs.launchpad.net/bugs/1205875

Title:
  apparmor.d profile for usr.sbin.ntpd -- access to samba gencache and
  capability block_suspend

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1205875/+subscriptions