On 2016-02-16 09:46 AM, mrq1 wrote: > it looks like strongswan is faking a nat situation if the kernel-libipsec > is used
This is by design as kernel-libipsec requires ESPinUDP.
As Tobias (Strongswan upstream) said, it's best to not have this on by default.
> btw: did you get this audit entries too? > > # grep audit /var/log/syslog > Feb 16 07:56:31 kvm-xenial kernel: [240771.376037] audit: type=1400 audit(1455605791.501:866): apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon" name="/proc/31139/fd/" pid=31139 comm="charon" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 > Feb 16 08:20:30 kvm-xenial kernel: [242210.398331] audit: type=1400 audit(1455607230.525:867): apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon" name="/proc/31165/fd/" pid=31165 comm="charon" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 > Feb 16 08:37:04 kvm-xenial kernel: [243204.311072] audit: type=1400 audit(1455608224.480:868): apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon" name="/proc/31720/fd/" pid=31720 comm="charon" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 > Feb 16 08:41:09 kvm-xenial kernel: [243449.474502] audit: type=1400 audit(1455608469.642:869): apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon" name="/proc/31743/fd/" pid=31743 comm="charon" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 > Feb 16 08:41:30 kvm-xenial kernel: [243470.304749] audit: type=1400 audit(1455608490.474:870): apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon" name="/proc/31836/fd/" pid=31836 comm="charon" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
I don't get those but I only tested libipsec in a container where there is no Apparmor. Maybe it's libipsec specific?
Can you add this to the profile and see if it helps:
owner @{PROC}/@{pid}/fd/ r,
On 2016-02-16 09:46 AM, mrq1 wrote:
> it looks like strongswan is faking a nat situation if the kernel-libipsec
> is used
This is by design as kernel-libipsec requires ESPinUDP.
As Tobias (Strongswan upstream) said, it's best to not have this on by
default.
> btw: did you get this audit entries too? 1.501:866) : apparmor="DENIED" operation="open" profile= "/usr/lib/ ipsec/charon" name="/ proc/31139/ fd/" pid=31139 comm="charon" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 0.525:867) : apparmor="DENIED" operation="open" profile= "/usr/lib/ ipsec/charon" name="/ proc/31165/ fd/" pid=31165 comm="charon" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 4.480:868) : apparmor="DENIED" operation="open" profile= "/usr/lib/ ipsec/charon" name="/ proc/31720/ fd/" pid=31720 comm="charon" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 9.642:869) : apparmor="DENIED" operation="open" profile= "/usr/lib/ ipsec/charon" name="/ proc/31743/ fd/" pid=31743 comm="charon" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 0.474:870) : apparmor="DENIED" operation="open" profile= "/usr/lib/ ipsec/charon" name="/ proc/31836/ fd/" pid=31836 comm="charon" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
>
> # grep audit /var/log/syslog
> Feb 16 07:56:31 kvm-xenial kernel: [240771.376037] audit: type=1400 audit(145560579
> Feb 16 08:20:30 kvm-xenial kernel: [242210.398331] audit: type=1400 audit(145560723
> Feb 16 08:37:04 kvm-xenial kernel: [243204.311072] audit: type=1400 audit(145560822
> Feb 16 08:41:09 kvm-xenial kernel: [243449.474502] audit: type=1400 audit(145560846
> Feb 16 08:41:30 kvm-xenial kernel: [243470.304749] audit: type=1400 audit(145560849
I don't get those but I only tested libipsec in a container where there
is no Apparmor. Maybe it's libipsec specific?
Can you add this to the profile and see if it helps:
owner @{PROC}/@{pid}/fd/ r,