2
# Updated for Ubuntu by: Jamie Strandboge <jamie@canonical.com>
3
# ------------------------------------------------------------------
5
# Copyright (C) 2002-2005 Novell/SUSE
6
# Copyright (C) 2009-2012 Canonical Ltd.
8
# This program is free software; you can redistribute it and/or
9
# modify it under the terms of version 2 of the GNU General Public
10
# License published by the Free Software Foundation.
12
# ------------------------------------------------------------------
14
#include <tunables/global>
15
#include <tunables/ntpd>
16
/usr/sbin/ntpd flags=(attach_disconnected) {
17
#include <abstractions/base>
18
#include <abstractions/nameservice>
19
#include <abstractions/user-tmp>
22
capability net_bind_service,
25
capability sys_chroot,
26
capability sys_resource,
30
# ntp uses AF_INET, AF_INET6 and AF_UNSPEC
34
@{PROC}/net/if_inet6 r,
35
@{PROC}/*/net/if_inet6 r,
37
# pps devices are almost exclusively used with NTP
42
/usr/local/{,s}bin/ r,
55
/etc/ntp.drift.TEMP rwl,
57
/var/lib/ntp/*drift rw,
58
/var/lib/ntp/*drift.TEMP rw,
63
/var/log/ntpstats/clockstats* rwl,
64
/var/log/ntpstats/loopstats* rwl,
65
/var/log/ntpstats/peerstats* rwl,
66
/var/log/ntpstats/protostats* rwl,
67
/var/log/ntpstats/rawstats* rwl,
68
/var/log/ntpstats/sysstats* rwl,
70
/{,var/}run/ntpd.pid w,
72
# to be able to check for running ntpdate
75
# samba4 ntp signing socket
76
/{,var/}run/samba/ntp_signd/socket rw,
78
# samba4 winbindd pipe
79
/run/samba/winbindd/pipe rw,
81
# For use with clocks that report via shared memory (e.g. gpsd),
82
# you may need to give ntpd access to all of shared memory, though
83
# this can be considered dangerous. See https://launchpad.net/bugs/722815
84
# for details. To enable, add this to local/usr.sbin.ntpd:
85
# capability ipc_owner,
87
# Site-specific additions and overrides. See local/README for details.
88
#include <local/usr.sbin.ntpd>
89
/etc/ldap/ldap.conf r,