[SOLVED] Chrony Apparmor problem

[cstreutjes]

Hello,

I have installed Proxmox Backup Server on top of Debian. It run nicely.

But Chrony for NTP synchronization won't start because of AppArmor:

The unit chrony.service has entered the 'failed' state with result 'exit-code'.

audit[36381]: AVC apparmor="DENIED" operation="create" profile="/usr/sbin/chronyd" pid=36381 comm="chronyd" family="unix" sock_type="stream" protocol=0 requested_mask="create" denied_mask="create" addr=none

kernel: [B]audit: type=1400 audit(1679848187.998:306): apparmor="DENIED" operation="create" profile="/usr/sbin/chronyd" pid=36381 comm="chronyd" family="unix" sock_type="stream" protocol=0 requested_mask="create" denied_mask="create" addr=none[/B]

When I delete the Chrony profile in AppArmor it starts normally. But with the AppArmor profile I get a lot of errors.

I compare the AppArmor Chrony profile with another Proxmox server (where Chrony runs normal, and AppArmor also), it is exactly the same...

When I run aa-status I get:
apparmor module is loaded. 8 profiles are loaded. 8 profiles are in enforce mode. /usr/bin/man /usr/sbin/chronyd lsb_release man_filter man_groff nvidia_modprobe nvidia_modprobe//kmod tcpdump 0 profiles are in complain mode. 0 processes have profiles defined. 0 processes are in enforce mode. 0 processes are in complain mode. 0 processes are unconfined but have a profile defined.

So, what can I do? Is the AppArmor profile needed for Chrony? Is it safe to run Chrony without the Chrony profile in AppArmor?


Thanks in advance!

 

[cstreutjes]

I replace Chrony by systemd-timesyncd because my Proxmox Backup Server is a stand-alone off-site server. I don't need a NTP server, only client. systemd-timesyncd is perfect for me.

systemd-timesyncd works fine and the server is synchronized again

 

[Neobin]

For reference:
https://bugzilla.proxmox.com/show_bug.cgi?id=4576

 

[Szymons]

in :
https://bugzilla.proxmox.com/show_bug.cgi?id=4576
there was written trick in comment:

I noticed that "dpkg-reconfigure apparmor" would make it work, so I dug into https://salsa.debian.org/apparmor-team/apparmor/-/blob/debian/2.13.6-10/debian/apparmor.postinst and found out what commands actually trigger the behaviour change.
* the mtime of "/etc/apparmor.d/tunables/home.d/ubuntu" needs to be updated (probably required to make AppArmor think that something changed)
* profiles must be reloaded with "apparmor_parser --write-cache --replace -- /etc/apparmor.d"

and I tested on my instalation and it is working !

 

[Szymons]

after proxmox kernel update this is not working anymore...

SMP PVE 5.15.131-3 (2023-12-01T13:42Z)

 

[Szymons]

I had to change /etc/default/chrony to fix it

cat /etc/default/chrony
# This is a configuration file for /etc/init.d/chrony and
# /lib/systemd/system/chrony.service; it allows you to pass various options to
# the chrony daemon without editing the init script or service file.

# Options to pass to chrony.
DAEMON_OPTS=""

https://forum.openmediavault.org/in...and-chrony-services-failed-to-start/&pageNo=4



update... after doing this .. I thing there is no option to check chrony

="create" profile="/usr/sbin/chronyd" pid=4260 comm="chronyd" family="unix" sock_type="dgram" protocol=0 requested_mask="create" denied_mask="create" addr=none
[ 9653.644336] audit: type=1400 audit(1704897515.227:278): apparmor="DENIED" operation="create" profile="/usr/sbin/chronyd" pid=4260 comm="chronyd" family="inet6" sock_type="dgram" protocol=0 requested_mask="create" denied_mask="create"
[ 9653.647474] audit: type=1400 audit(1704897515.227:279): apparmor="DENIED" operation="create" profile="/usr/sbin/chronyd" pid=4260 comm="chronyd" family="unix" sock_type="dgram" protocol=0 requested_mask="create" denied_mask="create" addr=none
root@cs-c-11:~#
root@cs-c-11:~#
root@cs-c-11:~# chronyc sources
506 Cannot talk to daemon
root@cs-c-11:~#