Will disabling the charon and Apparmor profiles still let the VPN work? I don't fully understand the technicality of this.
Thanks.
On Sun, Nov 20, 2016 at 12:22 AM, Douglas Kosovic <email address hidden> wrote:
> Sorry I gave bad advice, Apparmor complain mode won't help, it was the > attach_disconnected in the patch which fixes the issue. > > Simplest solution without patching is to disable the charon and stroke > Apparmor profiles as mentioned on: > https://github.com/nm-l2tp/network-manager-l2tp/wiki > > -- > You received this bug notification because you are subscribed to the bug > report. > https://bugs.launchpad.net/bugs/1587886 > > Title: > strongswan ipsec status issue with apparmor > > Status in One Hundred Papercuts: > Triaged > Status in strongswan package in Ubuntu: > In Progress > > Bug description: > $ lsb_release -rd > Description: Ubuntu 16.04 LTS > Release: 16.04 > > $ apt-cache policy strongswan > strongswan: > Installed: 5.3.5-1ubuntu3 > Candidate: 5.3.5-1ubuntu3 > Version table: > *** 5.3.5-1ubuntu3 500 > 500 http://au.archive.ubuntu.com/ubuntu xenial/main amd64 > Packages > 500 http://au.archive.ubuntu.com/ubuntu xenial/main i386 > Packages > 100 /var/lib/dpkg/status > > > Looks like 'ipsec status' might be causing strongswan's charon to > write to run/systemd/journal/dev-log instead of /run/systemd/journal > /dev-log and apparmor doesn't like it. > > Extract from /etc/apparmor.d/abstractions/base : > /{,var/}run/systemd/journal/dev-log w, > > With an established ipsec connection, issue the following : > > $ sudo ipsec status > connecting to 'unix:///var/run/charon.ctl' failed: Permission denied > failed to connect to stroke socket 'unix:///var/run/charon.ctl' > > > $ journalctl > ... > Jun 01 12:15:07 ThinkCentre-M900 kernel: audit: type=1400 > audit(1464785297.366:491): apparmor="DENIED" operation="connect" > info="Failed name lookup - disconnected path" error=-13 > profile="/usr/lib/ipsec/charon" name="run/systemd/journal/dev-log" > pid=4994 comm="charon" requested_mask="w" denied_mask="w" fsuid=0 ouid=0 > ... > > ProblemType: Bug > DistroRelease: Ubuntu 16.04 > Package: strongswan 5.3.5-1ubuntu3 > ProcVersionSignature: Ubuntu 4.4.0-22.40-generic 4.4.8 > Uname: Linux 4.4.0-22-generic x86_64 > NonfreeKernelModules: wl > ApportVersion: 2.20.1-0ubuntu2.1 > Architecture: amd64 > CurrentDesktop: Unity > Date: Wed Jun 1 23:06:53 2016 > InstallationDate: Installed on 2016-05-11 (21 days ago) > InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Release amd64 > (20160420.1) > PackageArchitecture: all > SourcePackage: strongswan > UpgradeStatus: No upgrade log present (probably fresh install) > > To manage notifications about this bug go to: > https://bugs.launchpad.net/hundredpapercuts/+bug/1587886/+subscriptions >
-- Aquib Mir c. 647.997.1982
Will disabling the charon and Apparmor profiles still let the VPN work? I
don't fully understand the technicality of this.
Thanks.
On Sun, Nov 20, 2016 at 12:22 AM, Douglas Kosovic <email address hidden> wrote:
> Sorry I gave bad advice, Apparmor complain mode won't help, it was the /github. com/nm- l2tp/network- manager- l2tp/wiki /bugs.launchpad .net/bugs/ 1587886 au.archive. ubuntu. com/ubuntu xenial/main amd64 au.archive. ubuntu. com/ubuntu xenial/main i386 dpkg/status journal/ dev-log instead of /run/systemd/ journal d/abstractions/ base : }run/systemd/ journal/ dev-log w, //var/run/ charon. ctl' failed: Permission denied //var/run/ charon. ctl' 7.366:491) : apparmor="DENIED" operation="connect" "/usr/lib/ ipsec/charon" name="run/ systemd/ journal/ dev-log" ature: Ubuntu 4.4.0-22.40-generic 4.4.8 dules: wl ture: all /bugs.launchpad .net/hundredpap ercuts/ +bug/1587886/ +subscriptions
> attach_disconnected in the patch which fixes the issue.
>
> Simplest solution without patching is to disable the charon and stroke
> Apparmor profiles as mentioned on:
> https:/
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https:/
>
> Title:
> strongswan ipsec status issue with apparmor
>
> Status in One Hundred Papercuts:
> Triaged
> Status in strongswan package in Ubuntu:
> In Progress
>
> Bug description:
> $ lsb_release -rd
> Description: Ubuntu 16.04 LTS
> Release: 16.04
>
> $ apt-cache policy strongswan
> strongswan:
> Installed: 5.3.5-1ubuntu3
> Candidate: 5.3.5-1ubuntu3
> Version table:
> *** 5.3.5-1ubuntu3 500
> 500 http://
> Packages
> 500 http://
> Packages
> 100 /var/lib/
>
>
> Looks like 'ipsec status' might be causing strongswan's charon to
> write to run/systemd/
> /dev-log and apparmor doesn't like it.
>
> Extract from /etc/apparmor.
> /{,var/
>
> With an established ipsec connection, issue the following :
>
> $ sudo ipsec status
> connecting to 'unix:/
> failed to connect to stroke socket 'unix:/
>
>
> $ journalctl
> ...
> Jun 01 12:15:07 ThinkCentre-M900 kernel: audit: type=1400
> audit(146478529
> info="Failed name lookup - disconnected path" error=-13
> profile=
> pid=4994 comm="charon" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
> ...
>
> ProblemType: Bug
> DistroRelease: Ubuntu 16.04
> Package: strongswan 5.3.5-1ubuntu3
> ProcVersionSign
> Uname: Linux 4.4.0-22-generic x86_64
> NonfreeKernelMo
> ApportVersion: 2.20.1-0ubuntu2.1
> Architecture: amd64
> CurrentDesktop: Unity
> Date: Wed Jun 1 23:06:53 2016
> InstallationDate: Installed on 2016-05-11 (21 days ago)
> InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Release amd64
> (20160420.1)
> PackageArchitec
> SourcePackage: strongswan
> UpgradeStatus: No upgrade log present (probably fresh install)
>
> To manage notifications about this bug go to:
> https:/
>
--
Aquib Mir
c. 647.997.1982