Ubuntu
strongswan package

Bug #1587886
Comment #21

Comment 21 for bug 1587886

Revision history for this message

Aquib Mir (aquibmir) wrote on 2016-11-20: Re: [Bug 1587886] Re: strongswan ipsec status issue with apparmor

#21

Will disabling the charon and Apparmor profiles still let the VPN work? I
don't fully understand the technicality of this.

Thanks.

On Sun, Nov 20, 2016 at 12:22 AM, Douglas Kosovic <email address hidden> wrote:

> Sorry I gave bad advice, Apparmor complain mode won't help, it was the
> attach_disconnected in the patch which fixes the issue.
>
> Simplest solution without patching is to disable the charon and stroke
> Apparmor profiles as mentioned on:
> https://github.com/nm-l2tp/network-manager-l2tp/wiki
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1587886
>
> Title:
> strongswan ipsec status issue with apparmor
>
> Status in One Hundred Papercuts:
> Triaged
> Status in strongswan package in Ubuntu:
> In Progress
>
> Bug description:
> $ lsb_release -rd
> Description: Ubuntu 16.04 LTS
> Release: 16.04
>
> $ apt-cache policy strongswan
> strongswan:
> Installed: 5.3.5-1ubuntu3
> Candidate: 5.3.5-1ubuntu3
> Version table:
> *** 5.3.5-1ubuntu3 500
> 500 http://au.archive.ubuntu.com/ubuntu xenial/main amd64
> Packages
> 500 http://au.archive.ubuntu.com/ubuntu xenial/main i386
> Packages
> 100 /var/lib/dpkg/status
>
>
> Looks like 'ipsec status' might be causing strongswan's charon to
> write to run/systemd/journal/dev-log instead of /run/systemd/journal
> /dev-log and apparmor doesn't like it.
>
> Extract from /etc/apparmor.d/abstractions/base :
> /{,var/}run/systemd/journal/dev-log w,
>
> With an established ipsec connection, issue the following :
>
> $ sudo ipsec status
> connecting to 'unix:///var/run/charon.ctl' failed: Permission denied
> failed to connect to stroke socket 'unix:///var/run/charon.ctl'
>
>
> $ journalctl
> ...
> Jun 01 12:15:07 ThinkCentre-M900 kernel: audit: type=1400
> audit(1464785297.366:491): apparmor="DENIED" operation="connect"
> info="Failed name lookup - disconnected path" error=-13
> profile="/usr/lib/ipsec/charon" name="run/systemd/journal/dev-log"
> pid=4994 comm="charon" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
> ...
>
> ProblemType: Bug
> DistroRelease: Ubuntu 16.04
> Package: strongswan 5.3.5-1ubuntu3
> ProcVersionSignature: Ubuntu 4.4.0-22.40-generic 4.4.8
> Uname: Linux 4.4.0-22-generic x86_64
> NonfreeKernelModules: wl
> ApportVersion: 2.20.1-0ubuntu2.1
> Architecture: amd64
> CurrentDesktop: Unity
> Date: Wed Jun 1 23:06:53 2016
> InstallationDate: Installed on 2016-05-11 (21 days ago)
> InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Release amd64
> (20160420.1)
> PackageArchitecture: all
> SourcePackage: strongswan
> UpgradeStatus: No upgrade log present (probably fresh install)
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/hundredpapercuts/+bug/1587886/+subscriptions
>

--
Aquib Mir
c. 647.997.1982

Will disabling the charon and Apparmor profiles still let the VPN work? I
don't fully understand the technicality of this.

Thanks.

On Sun, Nov 20, 2016 at 12:22 AM, Douglas Kosovic <doug@uq.edu.au> wrote:

> Sorry I gave bad advice, Apparmor complain mode won't help, it was the
> attach_disconnected in the patch which fixes the issue.
>
> Simplest solution without patching is to disable the charon and stroke
> Apparmor profiles as mentioned on:
>   https://github.com/nm-l2tp/network-manager-l2tp/wiki
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1587886
>
> Title:
>   strongswan ipsec status issue with apparmor
>
> Status in One Hundred Papercuts:
>   Triaged
> Status in strongswan package in Ubuntu:
>   In Progress
>
> Bug description:
>   $ lsb_release -rd
>   Description:  Ubuntu 16.04 LTS
>   Release:      16.04
>
>   $ apt-cache policy strongswan
>   strongswan:
>     Installed: 5.3.5-1ubuntu3
>     Candidate: 5.3.5-1ubuntu3
>     Version table:
>    *** 5.3.5-1ubuntu3 500
>           500 http://au.archive.ubuntu.com/ubuntu xenial/main amd64
> Packages
>           500 http://au.archive.ubuntu.com/ubuntu xenial/main i386
> Packages
>           100 /var/lib/dpkg/status
>
>
>   Looks like 'ipsec status' might be causing strongswan's charon to
>   write to run/systemd/journal/dev-log instead of /run/systemd/journal
>   /dev-log and apparmor doesn't like it.
>
>   Extract from /etc/apparmor.d/abstractions/base :
>     /{,var/}run/systemd/journal/dev-log w,
>
>   With an established ipsec connection, issue the following :
>
>   $ sudo ipsec status
>   connecting to 'unix:///var/run/charon.ctl' failed: Permission denied
>   failed to connect to stroke socket 'unix:///var/run/charon.ctl'
>
>
>   $ journalctl
>   ...
>   Jun 01 12:15:07 ThinkCentre-M900 kernel: audit: type=1400
> audit(1464785297.366:491): apparmor="DENIED" operation="connect"
> info="Failed name lookup - disconnected path" error=-13
> profile="/usr/lib/ipsec/charon" name="run/systemd/journal/dev-log"
> pid=4994 comm="charon" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
>   ...
>
>   ProblemType: Bug
>   DistroRelease: Ubuntu 16.04
>   Package: strongswan 5.3.5-1ubuntu3
>   ProcVersionSignature: Ubuntu 4.4.0-22.40-generic 4.4.8
>   Uname: Linux 4.4.0-22-generic x86_64
>   NonfreeKernelModules: wl
>   ApportVersion: 2.20.1-0ubuntu2.1
>   Architecture: amd64
>   CurrentDesktop: Unity
>   Date: Wed Jun  1 23:06:53 2016
>   InstallationDate: Installed on 2016-05-11 (21 days ago)
>   InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Release amd64
> (20160420.1)
>   PackageArchitecture: all
>   SourcePackage: strongswan
>   UpgradeStatus: No upgrade log present (probably fresh install)
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/hundredpapercuts/+bug/1587886/+subscriptions
>

-- 
Aquib Mir
c. 647.997.1982

Ubuntustrongswan package

Comment 21 for bug 1587886

Ubuntu
strongswan package