[apparmor] AppArmor and ntpd
Martin Burnicki
martin.burnicki at meinberg.de
Tue Dec 7 08:49:01 GMT 2010
John Johansen wrote:
> On 12/06/2010 08:38 AM, Martin Burnicki wrote:
[...]
>>Maybe it could be better to use /dev/refclock-* as a default. These are
>>usually symlinks used by ntpd's parse driver which point to real
>>/dev/ttyS* devices, if used by ntpd, and even if /dev/mbgclock* is used
>>by ntpd it is accesssed via a /dev/refclock-* symlink.
>>
> Well the symlink is actually problematic, in that apparmor's rules and
> mediation are post symlink resolution.
OK. I'm not yet too familiar with details how AppArmor works.
> You could add an alias rule, but in this case that is not really any
> better than the variable, as you have to know what the target of the
> symlink is.
Agreed.
Thanks,
Martin
--
Martin Burnicki
Meinberg Funkuhren
Bad Pyrmont
Germany
More information about the AppArmor
mailing list