Re: heads up: mac_ntpd has to be explicitly loaded in recent stable/14

On Mon, Mar 10, 2025 at 01:51:40PM +0200, Marek Zarychta wrote:
> Hello List Subscirbers,
> 
> in the past the module was loaded automatically upon NTPD server startup.
> It's no longer true, now it has to be loaded earlier.
> Perhaps people running stable/14 might find this message useful.
> 
> Cheers
> ....

So... I noticed this for (precisely) one of the five machines I have
that track stable/14 -- the other 4 get mac_ntpd loaded automagically as
usual.

In the failing case, it seems that

	sysctl security.mac.version

yielded

	sysctl: unknown oid 'security.mac.version'

which thus caused the code in /etc/rc.d/ntpd:

        # Try to set up the MAC ntpd policy so ntpd can run with reduced
        # privileges.  Detect whether MAC is compiled into the kernel, load
        # the policy module if not already present, then check whether the
        # policy has been disabled via tunable or sysctl.
        [ -n "$(sysctl -qn security.mac.version)" ] || return 1
        sysctl -qn security.mac.ntpd >/dev/null || kldload -qn mac_ntpd || return 1
        [ "$(sysctl -qn security.mac.ntpd.enabled)" == "1" ] || return 1

(in can_run_nonroot()) to return before the kldload can run.

As the (only) machine that exhibits the failure is the one that
acts as my Internet gateway, I am fairly reluctant to have it down
longer than necessary. :-}

(I admit that I was beginning to wonder if what I seemed to be
seeing was actually real.)

Peace,
david
-- 
David H. Wolfskill                              david@catwhisker.org
Thank you, Claude Malhuret.
https://wickedemerald.wordpress.com/2025/03/08/speech-from-claude-malhuret/

See https://www.catwhisker.org/~david/publickey.gpg for my public key.