Apparmor denies ntpd access to its own logs

logging apparmor ntpd

ntpd complains that it cannot access its own logs 

# ntpd -qgddd 
...
11 Sep 16:23:00 ntpd[7262]: can't open /var/log/ntpstats/peerstats.20130911: Permission denied
...
11 Sep 16:23:01 ntpd[7262]: can't open /var/log/ntpstats/peerstats.20130911: Permission denied
...
11 Sep 16:23:01 ntpd[7262]: can't open /var/log/ntpstats/loopstats.20130911: Permission denied

and strace agrees

open("/var/log/ntpstats/loopstats.20130911", O_WRONLY|O_CREAT|O_APPEND, 0666) = -1 EACCES (Permission denied)

According to syslog apparmor blocks it from doing that 

[526597.819210] type=1400 audit(1378909374.692:91): apparmor="DENIED" operation="open" parent=1013 profile="/usr/sbin/ntpd" name="/usr/local/sbin/" pid=7262 comm="ntpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[526597.819277] type=1400 audit(1378909374.692:92): apparmor="DENIED" operation="open" parent=1013 profile="/usr/sbin/ntpd" name="/usr/local/bin/" pid=7262 comm="ntpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[526597.819330] type=1400 audit(1378909374.692:93): apparmor="DENIED" operation="open" parent=1013 profile="/usr/sbin/ntpd" name="/usr/sbin/" pid=7262 comm="ntpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[526597.819383] type=1400 audit(1378909374.692:94): apparmor="DENIED" operation="open" parent=1013 profile="/usr/sbin/ntpd" name="/usr/bin/" pid=7262 comm="ntpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[526597.819434] type=1400 audit(1378909374.692:95): apparmor="DENIED" operation="open" parent=1013 profile="/usr/sbin/ntpd" name="/sbin/" pid=7262 comm="ntpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[526597.819485] type=1400 audit(1378909374.692:96): apparmor="DENIED" operation="open" parent=1013 profile="/usr/sbin/ntpd" name="/bin/" pid=7262 comm="ntpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[526597.819541] type=1400 audit(1378909374.692:97): apparmor="DENIED" operation="open" parent=1013 profile="/usr/sbin/ntpd" name="/usr/bin/" pid=7262 comm="ntpd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

even though it's clearly allowed in ntp's profile

# less /etc/apparmor.d/usr.sbin.ntpd
...
/var/log/ntpstats/clockstats* rwl,
/var/log/ntpstats/loopstats*  rwl,
/var/log/ntpstats/peerstats*  rwl,
/var/log/ntpstats/rawstats*   rwl,
/var/log/ntpstats/sysstats*   rwl,

So what's going on?

It's an Ubuntu Server 13.04 with 3.8.0-30-generic kernel.


That apparmor log shows that ntpd tries to access (read) directories like /usr/local/sbin/, /usr/sbin/ etc. It doesn't tell anything about ntpd being denied access to /var/log/ntpstats.

Please check regular unix permissions on /var/log/ntpstats and its contents.

Related

Can I test broadcast packets on a single machine?
Is wireless wake on lan possible?
Allowing users in from an IP address without certificate client authentication
Send objectGUID as an AD FS 2.0 Claim
Amazon EC2 notifying the instance when the autoscale service terminates it
Global zones visible in all views
Apache Virtual Hosts with SSL
Can not RDP to Win 2003 box or initiate remote restart
IIS6 intranet site using integrated authentication fails to load when accessed externally
Local transparent proxy
Possible to use Powershell to detect if an HP server has a bad drive?
Hyper-V Containers are going to allow running of Linux Containers?