app armor profile for systemd daemon missing entry for /run/systemd/notify
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
| strongswan (Debian) |
Fix Released
|
Unknown
|
||
| strongswan (Ubuntu) |
Undecided
|
Unassigned |
Bug Description
I'm using strongswan-systemd (charon-systemd package), and each time the daemon start, there is log in the journal telling that apparmor prevent the daemon to properly notify systemd.
Apr 20 11:43:09 vpn-2 audit[5970]: AVC apparmor="ALLOWED" operation="sendmsg" profile=
Apr 20 11:43:09 vpn-2 audit[5970]: AVC apparmor="ALLOWED" operation="sendmsg" profile=
Apr 20 11:43:09 vpn-2 audit[5970]: AVC apparmor="ALLOWED" operation="sendmsg" profile=
Apr 20 11:43:09 vpn-2 kernel: audit: type=1400 audit(152421738
Apr 20 11:43:09 vpn-2 kernel: audit: type=1400 audit(152421738
Apr 20 11:43:09 vpn-2 kernel: audit: type=1400 audit(152421738
Apr 20 11:43:09 vpn-2 systemd[1]: Starting strongSwan IPsec IKEv1/IKEv2 daemon using swanctl...
Would it be possible to add a "run/systemd/
Related branches
- Andreas Hasenack: Approve on 2018-06-04
- Canonical Server Team: Pending requested 2018-05-29
- Ubuntu Server Dev import team: Pending requested 2018-05-29
-
Diff: 2059 lines (+1537/-90)18 files modifieddebian/changelog (+1155/-0)
debian/control (+122/-6)
debian/ipsec.secrets.proto (+0/-3)
debian/libcharon-extra-plugins.install (+64/-12)
debian/libcharon-standard-plugins.install (+19/-0)
debian/libstrongswan-extra-plugins.install (+58/-0)
debian/libstrongswan.install (+11/-6)
debian/patches/dont-load-kernel-libipsec-plugin-by-default.patch (+11/-0)
debian/patches/series (+1/-0)
debian/rules (+50/-6)
debian/strongswan-starter.install (+4/-0)
debian/strongswan-starter.postinst (+0/-57)
debian/strongswan-tnc-base.install (+16/-0)
debian/strongswan-tnc-client.install (+5/-0)
debian/strongswan-tnc-ifmap.install (+3/-0)
debian/strongswan-tnc-pdp.install (+3/-0)
debian/strongswan-tnc-server.install (+10/-0)
debian/usr.sbin.charon-systemd (+5/-0)
Christian Ehrhardt (paelzer) wrote : | #1 |
Christian Ehrhardt (paelzer) wrote : | #2 |
Linked my report to Debian.
As Bionic is frozen atm and this is rather low on prio I'll wait what happens on the Debian bug.
I'll merge anyway for Bionic+1 in a few weeks I assume.
Changed in strongswan (Debian): | |
status: | Unknown → New |
Simon Déziel (sdeziel) wrote : | #3 |
Having the notify socket rule added to an abstraction makes sense IMHO so I opened https:/
Christian Ehrhardt (paelzer) wrote : | #4 |
Thanks Simon,
for now I'll likely take the change into strongswan, but long term a proper systemd abstraction is probably the right way.
Changed in strongswan (Ubuntu): | |
status: | New → In Progress |
Changed in strongswan (Debian): | |
status: | New → Fix Released |
Launchpad Janitor (janitor) wrote : | #5 |
This bug was fixed in the package strongswan - 5.6.2-2ubuntu1
---------------
strongswan (5.6.2-2ubuntu1) cosmic; urgency=medium
* Merge with Debian unstable, closes LP: #1773814 and LP: #1772705.
Remaining changes:
+ Clean up d/strongswan-
+ Clean up d/strongswan-
opportunistic encryption disabling - this was never in strongSwan and
won't be see upstream issue #2160.
+ d/rules: Removed patching ipsec.conf on build (not using the
debconf-
+ d/ipsec.
used for debconf-managed include of private key).
+ Mass enablement of extra plugins and features to allow a user to use
strongswan for a variety of extra use cases without having to rebuild.
- d/control: Add required additional build-deps
- d/control: Mention addtionally enabled plugins
- d/rules: Enable features at configure stage
- d/libbstrongswa
- d/libstrongswan
+ d/strongswan-
we have attr-sql plugin enabled as well using it.
+ Add plugin kernel-libipsec to allow the use of strongswan in containers
via this userspace implementation (please do note that this is still
considered experimental by upstream).
- d/libcharon-
- d/control: List kernel-libipsec plugin at extra plugins description
- d/p/dont-
upstream recommends to not load kernel-libipsec by default.
+ Relocate tnc plugin
- debian/
- Add new subpackage for TNC in d/strongswan-tnc-* and d/control
+ d/libstrongswan
+ d/libstrongswan
+ Complete the disabling of libfast; This was partially accepted in Debian,
it is no more packaging medcli and medsrv, but still builds and
mentions it.
- d/rules: Add --disable-fast to avoid build time and dependencies
- d/control: Remove medcli, medsrv from package description
+ d/control: Mention mgf1 plugin which is in libstrongswan now
+ Add now built (since 5.5.1) libraries libtpmtss and nttfft to
libstrong
+ d/control, d/libcharon-
plugins for the most common use cases from extra-plugins into a new
standard-
in too much more plugins (a bit like the tnc package). Recommend that
package from strongswan-
* Dropped Changes (no more needed after 18.04)
+ Add rm_conffile for /etc/init.d/ipsec (transition from precies had
missed that, droppable after 18.04)
+ d/control: bump breaks/replaces from libstrongswan-
libstrong
Changed in strongswan (Ubuntu): | |
status: | In Progress → Fix Released |
Thanks Jean-Daniel for the report.
Charon systemd is in complain mode as we know it isn't complete yet (otherwise it would break).
Thank you for the report.
Some other services have that rule as well, I wonder if that should be in an abstraction. }run/systemd/ notify w,
E.g. rsyslog:
/{,var/
The rule above fixes it - verified in Bionic.
I'll likely add a change like that on the next merge.
But also I will let Debian know about it to fix it there as well.