package:strongswan-plugin-farp may need apparmor config change
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
strongswan (Ubuntu) |
Expired
|
Undecided
|
Unassigned |
Bug Description
OS : Ubuntu 14.04 LTS server i386 ( with all packages obtained from Ubuntu repos )
Kernel : Linux 3.13.0-66-generic, i686
Running StrongSwan 5.1.2.
Found it was necessary to edit the apparmor profile to permit "strongswan-
be loaded at 'ipsec start'.
Reproducable 100% of time.
Following errors are reported in
"/var/log/
Nov 6 14:39:55 00[NET] opening ARP packet socket failed: Permission denied
Nov 6 14:39:55 00[LIB] plugin 'farp': failed to load - farp_plugin_create returned NULL
"/var/log/syslog" :
Nov 6 14:39:55 VMserver1 kernel: [15238.662619] type=1400 audit(144682079
Nov 6 14:39:55 VMserver1 kernel: [15238.677435] type=1400 audit(144682079
Proposed fix
------------
--- /etc/apparmor.
+++ /tmp/tmpvcipywp2 2015-11-06 16:46:16.552658984 +0000
@@ -27,6 +27,8 @@
# network all,
network raw,
+ network packet dgram,
+
/bin/dash mrPUx,
/etc/
/etc/ipsec.conf r,
@Steven, is this still an issue? The diff you showed includes "# network all," but this is not in the released version of charon's profile. Maybe you had a locally modified profile when you ran into the issue?
Since the charon's profile in Trusty allows all networking, I don't think that adding "network packet dgram," makes sense. Would you mind confirm if the problem happened with the stock profile or not?