© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0f7b58d
(Get the code!)
Due to ordering of package installations, the apparmor profile for the `charon` daemon is not applied to the service on a fresh install on bionic.
For `apt install strongswan`, we get:
(...)
Setting up libstrongswan (5.6.2-1ubuntu2.5) ...
Setting up libstrongswan-
Setting up libcharon-
Setting up strongswan-
Setting up strongswan-starter (5.6.2-1ubuntu2.5) ... <============
Created symlink /etc/systemd/
Setting up strongswan-charon (5.6.2-1ubuntu2.5) ... <============
Setting up strongswan (5.6.2-1ubuntu2.5) ...
(...)
$ ps axwZ|grep /usr/lib/
unconfined 12374 ? Ssl 0:00 /usr/lib/
$ sudo aa-status | tail -n 2
1 processes are unconfined but have a profile defined.
/usr/
See how strongswan-starter is setup before strongswan-charon. What happens is that -starter starts the services (including charon), but the apparmor profile is only loaded into the kernel by the strongswan-charon's postinst package, therefore too late.
In focal and later, the dependencies were changed[1]:
strongswan-starter: replaced "Recommends: strongswan-charon" with "Depends: strongswan-charon"
strongswan-charon: replaced "Depends: strongswan-starter" with "Recommends: strongswan-starter"
This has the effect that strongswan-charon will be configured already (i.e., the apparmor profile will be loaded into the kernel) by the time strongswan-starter comes along and (re)starts the services:
(...)
Setting up libstrongswan (5.8.2-1ubuntu3.1) ...
Setting up strongswan-
Setting up libcharon-
Setting up strongswan-charon (5.8.2-1ubuntu3.1) ... <============
Setting up libstrongswan-
Setting up strongswan-starter (5.8.2-1ubuntu3.1) ... <============
Created symlink /etc/systemd/
Setting up strongswan (5.8.2-1ubuntu3.1) ...
(...)
$ ps axwZ | grep /usr/lib/
/usr/lib/
1. https:/