Bugzilla – Bug 1216250
apparmor profile prevents use of NTP statistic files
Last modified: 2023-10-23 12:05:07 UTC
Having "uncommented" the statistic lines about "statsdir /var/log/ntpstats/" in /etc/ntp.conf, I noticed that no statistic files were created. Instead I saw error messages like these: 15 Oct 23:52:38 ntpd[4098]: can't open /var/log/ntpstats/peerstats.20231015: Permission denied 15 Oct 23:52:38 ntpd[4098]: can't open /var/log/ntpstats/loopstats.20231015: Permission denied 16 Oct 00:10:09 ntpd[4098]: can't open /var/log/ntpstats/peerstats.20231015: Permission denied Eventually I suspected apparmor, and after "aa-complain /usr/sbin/ntpd" statistic files were created! As it turned out the actual path is chrooted in /var/lib/ntp, like this (from aa-logprof): Updating AppArmor profiles in /etc/apparmor.d. Reading log entries from /var/log/audit/audit.log. Complain-mode changes: Profile: ntpd Path: /var/lib/ntp/var/log/ntpstats/peerstats.20231015 New Mode: owner w Severity: unknown
So far, the profile only allows the non-chrooted paths: /var/log/ntpstats/clockstats* lrw, /var/log/ntpstats/loopstats* lrw, /var/log/ntpstats/peerstats* lrw, Just to be sure I get everything right (especially the needed permissions), can you please attach your /var/log/audit/audit.log? (grepping for "ntpd" is enough) That said - the workaround is probably to add these lines to /etc/apparmor.d/local/usr.sbin.ntpd: /var/lib/ntp/var/log/ntpstats/clockstats* lrw, /var/lib/ntp/var/log/ntpstats/loopstats* lrw, /var/lib/ntp/var/log/ntpstats/peerstats* lrw, Then run "rcapparmor reload".