my server log has several entries like this:
leapseconds file /etc/ntp.leapseconds: Permission denied
[1195225.016830] type=1400 audit(1420833186.419:25): apparmor="DENIED" operation="open" profile="/usr/sbin/ntpd" name="/etc/ntp.leapseconds" pid=28627 comm="ntpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
I have been trying to setup the leapseconds file (obviously), yet ntp is giving me these errors on service restart. File permissions on ntp.leapseconds are sufficient (644, I have tried giving full permissions as well). I'm on Ubuntu 14.04.
Any idea why this is happening and how can I fix this?
Best Answer
I have no idea about if NTP should or should not access the file
/etc/ntp.leapsecondsHowever I can tell you why you are getting the problem.the LSM apparmor is denying the read.
If you believe that NTP should have access to that file the correct solution would be to update the apparmor profile for ntp.
sudo vim /etc/apparmor.d/usr.sbin.ntpdadd a line that permits read access to the file in question eg.
/etc/ntp.leapseconds r,save your file then reload the NTP profile
sudo apparmor_parser -r /etc/apparmor.d/usr.sbin.ntpdWhy is this happening?
NTP has listening network sockets and has a pretty predictable behaviour , so usually ubuntu will ship a apparmor profile for it and turn it on by default.
Apparmor is a LSM ( Linux Security Module ) Its an extra layer of security called MAC ( Mandatory access control ) and its a way of telling an application what it can and cannot access via policy. It has the last say on access permissions and even if you chmod 777 a file if the policy says you are not permitted to access the file the kernel will deny access.
You can start learning here