strongswan apparmor profile doesn't permit xauth-pam
Bug #1470277 reported by
Eric Heydrick
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
strongswan (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
When using the strongswan xauth-pam plugin I get an error at startup regarding missing capabilities and the plugin doesn't load.
---
xauth-pam plugin requires CAP_AUDIT_WRITE capability
plugin 'xauth-pam': failed to load - xauth_pam_
---
If I add "capability audit_write," to /etc/apparmor.
Package info:
strongswan:
Installed: 5.1.2-0ubuntu2.3
Candidate: 5.1.2-0ubuntu2.3
strongswan-
Installed: 5.1.2-0ubuntu2.3
Candidate: 5.1.2-0ubuntu2.3
Ubuntu info:
Description: Ubuntu 14.04.2 LTS
Release: 14.04
To post a comment you must log in.
This bug was fixed in the package strongswan - 5.3.5-1ubuntu1
---------------
strongswan (5.3.5-1ubuntu1) xenial; urgency=medium
* debian/ {rules, control, libstrongswan- extra-plugins. install} {rules, control, libstrongswan- extra-plugins. install} patches/ dont-load- kernel- libipsec- plugin- by-default. patch /wiki.strongswa n.org/projects/ strongswan/ wiki/Kernel- libipsec patches/ increase- bliss-test- timeout. patch ipsec.charon ipsec.stroke ipsec.lookip OPTIONS= nostrip for library integrity checking. KEYLENGTHS to one generate smallest key-lengths in /bugs.debian. org/cgi- bin/bugreport. cgi?bug= 718291# 10
--with- tss=trousers
--enable- ha (requires special kernel)
--enable- unit-test (unit tests run by default) strongswan- starter. strongswan. service strongswan- starter. links
Enable bliss plugin
* debian/
Enable chapoly plugin
* debian/
Upstream suggests to not load this plugin by default as it has
some limitations.
https:/
* debian/
Under QEMU/KVM for autopkgtest bliss test takes a bit longer then default
* Update Apparmor profiles
- usr.lib.
- add capability audit_write for xauth-pam (LP: #1470277)
- add capability dac_override (needed by agent plugin)
- allow priv dropping (LP: #1333655)
- allow caching CRLs (LP: #1505222)
- allow rw access to /dev/net/tun for kernel-libipsec (LP: #1309594)
- usr.lib.
- allow priv dropping (LP: #1333655)
- add local include
- usr.lib.
- add local include
* Merge from Debian, which includes fixes for all previous CVEs
Fixes (LP: #1330504, #1451091, #1448870, #1470277)
Remaining changes:
* debian/control
- Lower dpkg-dev to 1.16.1 from 1.16.2 to enable backporting to Precise
- Update Maintainer for Ubuntu
- Add build-deps
- dh-apparmor
- iptables-dev
- libjson0-dev
- libldns-dev
- libmysqlclient-dev
- libpcsclite-dev
- libsoup2.4-dev
- libtspi-dev
- libunbound-dev
- Drop build-deps
- libfcgi-dev
- clearsilver-dev
- Create virtual packages for all strongswan-plugin-* for dist-upgrade
- Set XS-Testsuite: autopkgtest
* debian/rules:
- Enforcing DEB_BUILD_
- Set TESTS_REDUCED_
tests.
- Change init/systemd program name to strongswan
- Install AppArmor profiles
- Removed pieces on 'patching ipsec.conf' on build.
- Enablement of features per Ubuntu current config suggested from
upstream recommendation
- Unpack and sort enabled features to one-per-line
- Disable duplicheck as per
https:/
- Disable libfast (--disable-fast):
Requires dropping medsrv, medcli plugins which depend on libfast
- Add configure options
- Remove configure options:
- Drop logcheck install
* debian/tests/*
- Add DEP8 test for strongswan service and plugins
* debian/
- Add new systemd file instead of patching upstream
* debian/
- removed, use Ubuntu systemd file instead of linking to upstream
* debia...