strongswan ipsec status issue with apparmor
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
One Hundred Papercuts |
Fix Released
|
High
|
Unassigned | ||
strongswan (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Xenial |
Fix Released
|
Undecided
|
Christian Ehrhardt | ||
Yakkety |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
[Impact]
* Certain strongswan based vpn setups fail, especially those based on
network-
* The fix is opening up the apparmor profile slightly for charon and
stroke where paths are disconnected
[Test Case]
* valid VPN setup with network-
or
* valid neutron-vpn setup and then
# mkdir /tmp/test
# ip netns add testns
# ip netns exec testns neutron-
In both cases the command fails as it can't reach charon log.
[Regression Potential]
* Since the profile for strongswan is opened up a bit (and not more
restricted) the regression potential for strongswan should be minimal.
* Yet OTOH due to the change there is a slightly higher security risk
now. That said the case seems to be exactly what the feature was
designed for [1] and there are several other packages holding a similar
flag.
[1]: http://
[Other Info]
* The part of the "valid VPN setup" both Test cases would need some more
input by the reporters if possible - to easen testing (see comments
#5+#6 and #28+#29 for the current status on tests).
* Unless this is done we have to rely more than usual on the reporters to
verify this.
$ lsb_release -rd
Description: Ubuntu 16.04 LTS
Release: 16.04
$ apt-cache policy strongswan
strongswan:
Installed: 5.3.5-1ubuntu3
Candidate: 5.3.5-1ubuntu3
Version table:
*** 5.3.5-1ubuntu3 500
500 http://
500 http://
100 /var/lib/
Looks like 'ipsec status' might be causing strongswan's charon to write to run/systemd/
Extract from /etc/apparmor.
/{,var/
With an established ipsec connection, issue the following :
$ sudo ipsec status
connecting to 'unix:/
failed to connect to stroke socket 'unix:/
$ journalctl
...
Jun 01 12:15:07 ThinkCentre-M900 kernel: audit: type=1400 audit(146478529
...
ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: strongswan 5.3.5-1ubuntu3
ProcVersionSign
Uname: Linux 4.4.0-22-generic x86_64
NonfreeKernelMo
ApportVersion: 2.20.1-0ubuntu2.1
Architecture: amd64
CurrentDesktop: Unity
Date: Wed Jun 1 23:06:53 2016
InstallationDate: Installed on 2016-05-11 (21 days ago)
InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.1)
PackageArchitec
SourcePackage: strongswan
UpgradeStatus: No upgrade log present (probably fresh install)
Changed in strongswan (Ubuntu): | |
importance: | Undecided → High |
Changed in hundredpapercuts: | |
status: | New → Triaged |
importance: | Undecided → High |
description: | updated |
tags: |
added: verification-needed removed: verification-done |
tags: |
added: verification-done removed: verification-needed |
Changed in hundredpapercuts: | |
status: | Triaged → Fix Released |
Hi Douglas,
I'm unable to reproduce this on a Xenial host. Are you running in a container or something similar? Also, have you altered the strongswan systemd unit?