If you modify your NTPD config you may need to change it's apparmor profile as well.
This is for a file '/etc/leap-seconds.list'. Which is usually a symlink to the actual leap seconds file which is also in /etc/ (E.G.: '/etc/leap-seconds.3960835200').
In '/etc/apparmor.d/local/' put a file 'usr.sbin.ntpd' containing;
/etc/leap-seconds* r,
Don't forget the comma!
Merge '/etc/apparmor.d/local/usr.sbin.ntpd' with
'/etc/apparmor.d/usr.sbin.ntpd';
apparmor_parser -r /etc/apparmor.d/usr.sbin.ntpd
Next modify your ntp.conf;
leapfile /etc/leap-seconds.list
Restart the NTPD and check the syslog. It should clearly say that it actually uses the leap seconds file;
Nov 30 10:42:48 pc8 ntpd[631492]: leapsecond file ('/etc/leap-seconds.list'): loaded, expire=2026-06-28T00:00:00Z last=2017-01-01T00:00:00Z ofs=37
Below the permissions for various local clocks.
In '/etc/apparmor.d/local/usr.sbin.ntpd';
capability ipc_owner, /dev/ttyS1 rw, /dev/ttyS2 rw, /etc/leap-seconds* r,
The first entry enables a shared memory driver.
The next two access to serial ports.
And the last one to a leap seconds file.
Merge '/etc/apparmor.d/local/usr.sbin.ntpd' with '/etc/apparmor.d/usr.sbin.ntpd';
apparmor_parser -r /etc/apparmor.d/usr.sbin.ntpd