apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/swanctl" name="/dev/net/tun" pid=490601 comm="swanctl" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
strongswan (Ubuntu) |
Expired
|
Undecided
|
Unassigned |
Bug Description
The swanctl apparmor profile leads to the following deny:
apparmor="DENIED" operation=
I'm using charon-systemd instead of strongswan-starter.
$ dpkg -l|grep "strongswan\
ii charon-systemd 5.8.2-1ubuntu3 amd64 strongSwan IPsec client, systemd support
ii libcharon-
ii libcharon-
ii libcharon-
ii libstrongswan 5.8.2-1ubuntu3 amd64 strongSwan utility and crypto library
ii libstrongswan-
ii strongswan 5.8.2-1ubuntu3 all IPsec VPN solution metapackage
ii strongswan-charon 5.8.2-1ubuntu3 amd64 strongSwan Internet Key Exchange daemon
ii strongswan-
ii strongswan-pki 5.8.2-1ubuntu3 amd64 strongSwan IPsec client, pki command
ii strongswan-starter 5.8.2-1ubuntu3 amd64 strongSwan daemon starter and configuration file parser
ii strongswan-swanctl 5.8.2-1ubuntu3 amd64 strongSwan IPsec client, swanctl command
I suspect you using kernel-libipsec which would explain why you are running into this, right? Could you please try the following:
cat << EOF | sudo tee -a /etc/apparmor. d/local/ usr.sbin. swanctl extra-plugins: kernel-libipsec d/usr.sbin. swanctl
# libcharon-
/dev/net/tun rw,
EOF
sudo apparmor_parser -rTW /etc/apparmor.
Then restart strongswan?
If that fixes the problem, I'll submit a pull request. Setting as incomplete until then.