apparmor profile prevent mysql backend usage

Bug #1766240 reported by Jean-Daniel Dupas
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
strongswan (Ubuntu)
Medium
Unassigned

Bug Description

Using strongswan-systemd (the recommended modern daemon), I can't use the sql and attr-sql plugins with a mysql backend as it trigger apparmor errors:

Apr 23 13:25:23 vpn-1 audit[2970]: AVC apparmor="ALLOWED" operation="open" profile="/usr/sbin/charon-systemd" name="/usr/share/mysql/charsets/Index.xml" pid=2970 comm="charon-systemd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Apr 23 13:25:23 vpn-1 audit[2970]: AVC apparmor="ALLOWED" operation="connect" profile="/usr/sbin/charon-systemd" name="/run/mysqld/mysqld.sock" pid=2970 comm="charon-systemd" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=110

Related branches

Changed in strongswan (Ubuntu):
status: New → Triaged
importance: Undecided → Medium
tags: added: server-next
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Hi,
if you could outline how to set up the mysql backend that would help verifying this is done correctly.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

There is /etc/apparmor.d/abstractions/mysql to cover all of them.
profile to change is debian/usr.sbin.charon-systemd

Changed in strongswan (Ubuntu):
status: Triaged → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (4.2 KiB)

This bug was fixed in the package strongswan - 5.6.2-2ubuntu1

---------------
strongswan (5.6.2-2ubuntu1) cosmic; urgency=medium

  * Merge with Debian unstable, closes LP: #1773814 and LP: #1772705.
    Remaining changes:
    + Clean up d/strongswan-starter.postinst: section about runlevel changes
    + Clean up d/strongswan-starter.postinst: Removed entire section on
      opportunistic encryption disabling - this was never in strongSwan and
      won't be see upstream issue #2160.
    + d/rules: Removed patching ipsec.conf on build (not using the
      debconf-managed config.)
    + d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was
      used for debconf-managed include of private key).
    + Mass enablement of extra plugins and features to allow a user to use
      strongswan for a variety of extra use cases without having to rebuild.
      - d/control: Add required additional build-deps
      - d/control: Mention addtionally enabled plugins
      - d/rules: Enable features at configure stage
      - d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
      - d/libstrongswan.install: Add plugins (so, conf)
    + d/strongswan-starter.install: Install pool feature, which is useful since
      we have attr-sql plugin enabled as well using it.
    + Add plugin kernel-libipsec to allow the use of strongswan in containers
      via this userspace implementation (please do note that this is still
      considered experimental by upstream).
      - d/libcharon-extra-plugins.install: Add kernel-libipsec components
      - d/control: List kernel-libipsec plugin at extra plugins description
      - d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
        upstream recommends to not load kernel-libipsec by default.
    + Relocate tnc plugin
     - debian/libcharon-extra-plugins.install: Drop tnc from extra plugins
     - Add new subpackage for TNC in d/strongswan-tnc-* and d/control
    + d/libstrongswan.install: Reorder conf and .so alphabetically
    + d/libstrongswan.install: Add kernel-netlink configuration files
    + Complete the disabling of libfast; This was partially accepted in Debian,
        it is no more packaging medcli and medsrv, but still builds and
        mentions it.
      - d/rules: Add --disable-fast to avoid build time and dependencies
      - d/control: Remove medcli, medsrv from package description
    + d/control: Mention mgf1 plugin which is in libstrongswan now
    + Add now built (since 5.5.1) libraries libtpmtss and nttfft to
      libstrongswan-extra-plugins (no deps from default plugins).
    + d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
      plugins for the most common use cases from extra-plugins into a new
      standard-plugins package. This will allow those use cases without pulling
      in too much more plugins (a bit like the tnc package). Recommend that
      package from strongswan-libcharon.
  * Dropped Changes (no more needed after 18.04)
    + Add rm_conffile for /etc/init.d/ipsec (transition from precies had
      missed that, droppable after 18.04)
    + d/control: bump breaks/replaces from libstrongswan-extra-plugins to
      libstrongswa...

Read more...

Changed in strongswan (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers