app armor profile for systemd daemon missing entry for /run/systemd/notify
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
strongswan (Debian) |
Fix Released
|
Unknown
|
|||
strongswan (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
I'm using strongswan-systemd (charon-systemd package), and each time the daemon start, there is log in the journal telling that apparmor prevent the daemon to properly notify systemd.
Apr 20 11:43:09 vpn-2 audit[5970]: AVC apparmor="ALLOWED" operation="sendmsg" profile=
Apr 20 11:43:09 vpn-2 audit[5970]: AVC apparmor="ALLOWED" operation="sendmsg" profile=
Apr 20 11:43:09 vpn-2 audit[5970]: AVC apparmor="ALLOWED" operation="sendmsg" profile=
Apr 20 11:43:09 vpn-2 kernel: audit: type=1400 audit(152421738
Apr 20 11:43:09 vpn-2 kernel: audit: type=1400 audit(152421738
Apr 20 11:43:09 vpn-2 kernel: audit: type=1400 audit(152421738
Apr 20 11:43:09 vpn-2 systemd[1]: Starting strongSwan IPsec IKEv1/IKEv2 daemon using swanctl...
Would it be possible to add a "run/systemd/
Related branches
- Andreas Hasenack: Approve
- Canonical Server: Pending requested
- git-ubuntu developers: Pending requested
-
Diff: 2059 lines (+1537/-90)18 files modifieddebian/changelog (+1155/-0)
debian/control (+122/-6)
debian/ipsec.secrets.proto (+0/-3)
debian/libcharon-extra-plugins.install (+64/-12)
debian/libcharon-standard-plugins.install (+19/-0)
debian/libstrongswan-extra-plugins.install (+58/-0)
debian/libstrongswan.install (+11/-6)
debian/patches/dont-load-kernel-libipsec-plugin-by-default.patch (+11/-0)
debian/patches/series (+1/-0)
debian/rules (+50/-6)
debian/strongswan-starter.install (+4/-0)
debian/strongswan-starter.postinst (+0/-57)
debian/strongswan-tnc-base.install (+16/-0)
debian/strongswan-tnc-client.install (+5/-0)
debian/strongswan-tnc-ifmap.install (+3/-0)
debian/strongswan-tnc-pdp.install (+3/-0)
debian/strongswan-tnc-server.install (+10/-0)
debian/usr.sbin.charon-systemd (+5/-0)
Changed in strongswan (Debian): | |
status: | Unknown → New |
Changed in strongswan (Ubuntu): | |
status: | New → In Progress |
Changed in strongswan (Debian): | |
status: | New → Fix Released |
Thanks Jean-Daniel for the report.
Charon systemd is in complain mode as we know it isn't complete yet (otherwise it would break).
Thank you for the report.
Some other services have that rule as well, I wonder if that should be in an abstraction. }run/systemd/ notify w,
E.g. rsyslog:
/{,var/
The rule above fixes it - verified in Bionic.
I'll likely add a change like that on the next merge.
But also I will let Debian know about it to fix it there as well.