app armor profile for systemd daemon missing entry for /run/systemd/notify

Bug #1765652 reported by Jean-Daniel Dupas on 2018-04-20
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
strongswan (Debian)
Fix Released
Unknown
strongswan (Ubuntu)
Undecided
Unassigned

Bug Description

I'm using strongswan-systemd (charon-systemd package), and each time the daemon start, there is log in the journal telling that apparmor prevent the daemon to properly notify systemd.

Apr 20 11:43:09 vpn-2 audit[5970]: AVC apparmor="ALLOWED" operation="sendmsg" profile="/usr/sbin/charon-systemd" name="/run/systemd/notify" pid=5970 comm="charon-systemd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
Apr 20 11:43:09 vpn-2 audit[5970]: AVC apparmor="ALLOWED" operation="sendmsg" profile="/usr/sbin/charon-systemd" name="/run/systemd/notify" pid=5970 comm="charon-systemd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
Apr 20 11:43:09 vpn-2 audit[5970]: AVC apparmor="ALLOWED" operation="sendmsg" profile="/usr/sbin/charon-systemd" name="/run/systemd/notify" pid=5970 comm="charon-systemd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
Apr 20 11:43:09 vpn-2 kernel: audit: type=1400 audit(1524217389.848:26): apparmor="ALLOWED" operation="sendmsg" profile="/usr/sbin/charon-systemd" name="/run/systemd/notify" pid=5970 comm="charon-systemd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
Apr 20 11:43:09 vpn-2 kernel: audit: type=1400 audit(1524217389.848:25): apparmor="ALLOWED" operation="sendmsg" profile="/usr/sbin/charon-systemd" name="/run/systemd/notify" pid=5970 comm="charon-systemd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
Apr 20 11:43:09 vpn-2 kernel: audit: type=1400 audit(1524217389.840:24): apparmor="ALLOWED" operation="sendmsg" profile="/usr/sbin/charon-systemd" name="/run/systemd/notify" pid=5970 comm="charon-systemd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
Apr 20 11:43:09 vpn-2 systemd[1]: Starting strongSwan IPsec IKEv1/IKEv2 daemon using swanctl...

Would it be possible to add a "run/systemd/notify, w" entry in the default usr.sbin.charon-systemd profile ?

Related branches

Thanks Jean-Daniel for the report.

Charon systemd is in complain mode as we know it isn't complete yet (otherwise it would break).
Thank you for the report.

Some other services have that rule as well, I wonder if that should be in an abstraction.
E.g. rsyslog:
  /{,var/}run/systemd/notify w,

The rule above fixes it - verified in Bionic.

I'll likely add a change like that on the next merge.
But also I will let Debian know about it to fix it there as well.

Linked my report to Debian.
As Bionic is frozen atm and this is rather low on prio I'll wait what happens on the Debian bug.
I'll merge anyway for Bionic+1 in a few weeks I assume.

Changed in strongswan (Debian):
status: Unknown → New
Simon Déziel (sdeziel) wrote :

Having the notify socket rule added to an abstraction makes sense IMHO so I opened https://gitlab.com/apparmor/apparmor/issues/5

Thanks Simon,
for now I'll likely take the change into strongswan, but long term a proper systemd abstraction is probably the right way.

Changed in strongswan (Ubuntu):
status: New → In Progress
Changed in strongswan (Debian):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :
Download full text (4.2 KiB)

This bug was fixed in the package strongswan - 5.6.2-2ubuntu1

---------------
strongswan (5.6.2-2ubuntu1) cosmic; urgency=medium

  * Merge with Debian unstable, closes LP: #1773814 and LP: #1772705.
    Remaining changes:
    + Clean up d/strongswan-starter.postinst: section about runlevel changes
    + Clean up d/strongswan-starter.postinst: Removed entire section on
      opportunistic encryption disabling - this was never in strongSwan and
      won't be see upstream issue #2160.
    + d/rules: Removed patching ipsec.conf on build (not using the
      debconf-managed config.)
    + d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was
      used for debconf-managed include of private key).
    + Mass enablement of extra plugins and features to allow a user to use
      strongswan for a variety of extra use cases without having to rebuild.
      - d/control: Add required additional build-deps
      - d/control: Mention addtionally enabled plugins
      - d/rules: Enable features at configure stage
      - d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
      - d/libstrongswan.install: Add plugins (so, conf)
    + d/strongswan-starter.install: Install pool feature, which is useful since
      we have attr-sql plugin enabled as well using it.
    + Add plugin kernel-libipsec to allow the use of strongswan in containers
      via this userspace implementation (please do note that this is still
      considered experimental by upstream).
      - d/libcharon-extra-plugins.install: Add kernel-libipsec components
      - d/control: List kernel-libipsec plugin at extra plugins description
      - d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
        upstream recommends to not load kernel-libipsec by default.
    + Relocate tnc plugin
     - debian/libcharon-extra-plugins.install: Drop tnc from extra plugins
     - Add new subpackage for TNC in d/strongswan-tnc-* and d/control
    + d/libstrongswan.install: Reorder conf and .so alphabetically
    + d/libstrongswan.install: Add kernel-netlink configuration files
    + Complete the disabling of libfast; This was partially accepted in Debian,
        it is no more packaging medcli and medsrv, but still builds and
        mentions it.
      - d/rules: Add --disable-fast to avoid build time and dependencies
      - d/control: Remove medcli, medsrv from package description
    + d/control: Mention mgf1 plugin which is in libstrongswan now
    + Add now built (since 5.5.1) libraries libtpmtss and nttfft to
      libstrongswan-extra-plugins (no deps from default plugins).
    + d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
      plugins for the most common use cases from extra-plugins into a new
      standard-plugins package. This will allow those use cases without pulling
      in too much more plugins (a bit like the tnc package). Recommend that
      package from strongswan-libcharon.
  * Dropped Changes (no more needed after 18.04)
    + Add rm_conffile for /etc/init.d/ipsec (transition from precies had
      missed that, droppable after 18.04)
    + d/control: bump breaks/replaces from libstrongswan-extra-plugins to
      libstrongswa...

Read more...

Changed in strongswan (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.