Ubuntu
fwknop package

apparmor profile prevents fwknop-server from starting

Bug #1598506 reported by François Marier
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
fwknop (Debian)
Fix Released
Unknown
fwknop (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

I had to remove the fwknop-apparmor-profile package because it wouldn't start on Ubuntu 16.04:

$ sudo service fwknop-server status
● fwknop-server.service - LSB: start and stop fwknopd
   Loaded: loaded (/etc/init.d/fwknop-server; bad; vendor preset: enabled)
   Active: active (exited) since ven 2016-07-01 20:17:33 PDT; 56min ago
     Docs: man:systemd-sysv-generator(8)
  Process: 8468 ExecStart=/etc/init.d/fwknop-server start (code=exited, status=0/SUCCESS)

jui 01 20:17:33 egilsstadir systemd[1]: Starting LSB: start and stop fwknopd...
jui 01 20:17:33 egilsstadir fwknop-server[8468]: * Starting FireWall KNock OPerator fwknopd
jui 01 20:17:33 egilsstadir fwknop-server[8468]: ...done.
jui 01 20:17:33 egilsstadir systemd[1]: Started LSB: start and stop fwknopd.
jui 01 20:17:33 egilsstadir fwknopd[8506]: Starting fwknopd
jui 01 20:17:33 egilsstadir fwknopd[8506]: Added jump rule from chain: INPUT to chain: FWKNOP_INPUT
jui 01 20:17:33 egilsstadir fwknopd[8506]: iptables 'comment' match is available
jui 01 20:17:33 egilsstadir fwknopd[8506]: Sniffing interface: eth0
jui 01 20:17:33 egilsstadir fwknopd[8506]: [*] pcap_open_live() error: socket for SIOCETHTOOL(ETHTOOL_GET_TS_INFO): Permission denied

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in fwknop (Ubuntu):
status: New → Confirmed
Revision history for this message
Oliver Mueller (oliver-vpr) wrote :

The problems seems to be apparmor, which is restricting permissions.

Problem can be solved by changing the file /etc/apparmor.d/usr.sbin.fwknopd and add the following lines:

  /run/xtables.lock rwk,
  network inet dgram,
  network inet6 dgram,

Revision history for this message
Oliver Mueller (oliver-vpr) wrote :

This problem only occurs if the package "fwknop-apparmor-profile" is installed as well, which is creating the apparmor profile for fwknopd in /etc/apparmor.d/usr.sbin.fwknopd.

Revision history for this message
Oliver Mueller (oliver-vpr) wrote :

If you run fwknopd within an LXC container for example, the problem does NOT occur. Maybe the underlying apparmor rules for the container allow certain operations.

Revision history for this message
François Marier (fmarier) wrote :

These fixes got merged upstream in 2.6.10: https://github.com/mrash/fwknop/commit/861111bd1ea1e6eac04f938d9d13816a6fa0b1e3

Bug Watch Updater (bug-watch-updater)
Changed in fwknop (Debian):
status: Unknown → New
Bug Watch Updater (bug-watch-updater)
Changed in fwknop (Debian):
status: New → Fix Released
Revision history for this message
François Marier (fmarier) wrote :

This should be fixed in Ubuntu 19.04.

Changed in fwknop (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.