Skip to content

Apparmor conflicted with ntpd: apparmor=DENIED operation=capable

homepage-banner

What is Apparmor?

Apparmor (short for Application Armor) is a security module that is built into the Linux kernel. It is a Mandatory Access Control (MAC) system that uses profiles to define the access permissions of applications. These profiles are loaded at boot time and are designed to restrict the access of applications to specific system resources such as files, directories, and network sockets.

Problem brief

Sometime, you’ll find the following logs in dmesg repeatly and frequently, it’s generally because the behavior of ntp service conflicts with apparmor.

apparmor=”DENIED” operation=”open” profile=”/usr/sbin/ntpd” name=”/etc/resolvconf/resolv.conf.d/head” pid= comm=”ntpd” requested_mask=”r” denied_mask=”r” fsuid= ouid=

This error message indicates that AppArmor is conflicting with ntpd, preventing it from functioning properly. In this blog post, we will discuss three possible solutions to this problem.

Check apparmor status

aa-status
## or
cat /sys/kernel/security/apparmor/profiles

output

...
/usr/sbin/ntpd (enforce)
...

Solution 1. Change apparmor rule (safer)

Could change the default apparmor control rule of ntpd, the default rule locates in /etc/apparmor.d/usr.sbin.ntpd.

systemctl restart apparmor.service

Solution 2. Disable ntp protect

Or, directly disable the protect/audit of ntpd from apparmor.

ln -s /etc/apparmor.d/usr.sbin.ntpd /etc/apparmor.d/disable/
apparmor_parser -R /etc/apparmor.d/usr.sbin.ntpd
systemctl restart ntp.service

Conclusion

If you are encountering the “apparmor=DENIED operation=capable” error message when running ntpd, there are several possible solutions to the problem. Disabling AppArmor should only be used as a temporary fix, but modifying the AppArmor profiles or updating ntpd’s configuration can provide a more permanent solution. By following the steps outlined in this blog post, you should be able to resolve the AppArmor conflict with ntpd and get your system running smoothly again.

Small world. Big idea!
  • Welcome to visit the knowledge base of SRE and DevOps!
  • License under CC BY-NC 4.0
  • No personal information is collected
  • Made with Material for MkDocs and generative AI tools
  • Copyright issue feedback me#imzye.com, replace # with @
  • Get latest SRE news and discuss on Discord Channel