Due to ordering of package installations, the apparmor profile for the `charon` daemon is not applied to the service on a fresh install on bionic.
For `apt install strongswan`, we get:
(...)
Setting up libstrongswan (5.6.2-1ubuntu2.5) ...
Setting up libstrongswan-standard-plugins (5.6.2-1ubuntu2.5) ...
Setting up libcharon-standard-plugins (5.6.2-1ubuntu2.5) ...
Setting up strongswan-libcharon (5.6.2-1ubuntu2.5) ...
Setting up strongswan-starter (5.6.2-1ubuntu2.5) ... <============
Created symlink /etc/systemd/system/multi-user.target.wants/strongswan.service → /lib/systemd/system/strongswan.service.
Setting up strongswan-charon (5.6.2-1ubuntu2.5) ... <============
Setting up strongswan (5.6.2-1ubuntu2.5) ...
(...)
$ sudo aa-status | tail -n 2
1 processes are unconfined but have a profile defined.
/usr/lib/ipsec/charon (12374)
See how strongswan-starter is setup before strongswan-charon. What happens is that -starter starts the services (including charon), but the apparmor profile is only loaded into the kernel by the strongswan-charon's postinst package, therefore too late.
In focal and later, the dependencies were changed[1]:
strongswan-starter: replaced "Recommends: strongswan-charon" with "Depends: strongswan-charon"
strongswan-charon: replaced "Depends: strongswan-starter" with "Recommends: strongswan-starter"
This has the effect that strongswan-charon will be configured already (i.e., the apparmor profile will be loaded into the kernel) by the time strongswan-starter comes along and (re)starts the services:
(...)
Setting up libstrongswan (5.8.2-1ubuntu3.1) ...
Setting up strongswan-libcharon (5.8.2-1ubuntu3.1) ...
Setting up libcharon-extauth-plugins (5.8.2-1ubuntu3.1) ...
Setting up strongswan-charon (5.8.2-1ubuntu3.1) ... <============
Setting up libstrongswan-standard-plugins (5.8.2-1ubuntu3.1) ...
Setting up strongswan-starter (5.8.2-1ubuntu3.1) ... <============
Created symlink /etc/systemd/system/multi-user.target.wants/strongswan-starter.service → /lib/systemd/system/strongswan-starter.service.
Setting up strongswan (5.8.2-1ubuntu3.1) ...
(...)
Due to ordering of package installations, the apparmor profile for the `charon` daemon is not applied to the service on a fresh install on bionic.
For `apt install strongswan`, we get: standard- plugins (5.6.2-1ubuntu2.5) ... standard- plugins (5.6.2-1ubuntu2.5) ... libcharon (5.6.2-1ubuntu2.5) ... system/ multi-user. target. wants/strongswa n.service → /lib/systemd/ system/ strongswan. service.
(...)
Setting up libstrongswan (5.6.2-1ubuntu2.5) ...
Setting up libstrongswan-
Setting up libcharon-
Setting up strongswan-
Setting up strongswan-starter (5.6.2-1ubuntu2.5) ... <============
Created symlink /etc/systemd/
Setting up strongswan-charon (5.6.2-1ubuntu2.5) ... <============
Setting up strongswan (5.6.2-1ubuntu2.5) ...
(...)
$ ps axwZ|grep /usr/lib/ ipsec/charon| grep -v grep ipsec/charon
unconfined 12374 ? Ssl 0:00 /usr/lib/
$ sudo aa-status | tail -n 2 lib/ipsec/ charon (12374)
1 processes are unconfined but have a profile defined.
/usr/
See how strongswan-starter is setup before strongswan-charon. What happens is that -starter starts the services (including charon), but the apparmor profile is only loaded into the kernel by the strongswan-charon's postinst package, therefore too late.
In focal and later, the dependencies were changed[1]:
strongswan-starter: replaced "Recommends: strongswan-charon" with "Depends: strongswan-charon"
strongswan-charon: replaced "Depends: strongswan-starter" with "Recommends: strongswan-starter"
This has the effect that strongswan-charon will be configured already (i.e., the apparmor profile will be loaded into the kernel) by the time strongswan-starter comes along and (re)starts the services:
(...) libcharon (5.8.2-1ubuntu3.1) ... extauth- plugins (5.8.2-1ubuntu3.1) ... standard- plugins (5.8.2-1ubuntu3.1) ... system/ multi-user. target. wants/strongswa n-starter. service → /lib/systemd/ system/ strongswan- starter. service.
Setting up libstrongswan (5.8.2-1ubuntu3.1) ...
Setting up strongswan-
Setting up libcharon-
Setting up strongswan-charon (5.8.2-1ubuntu3.1) ... <============
Setting up libstrongswan-
Setting up strongswan-starter (5.8.2-1ubuntu3.1) ... <============
Created symlink /etc/systemd/
Setting up strongswan (5.8.2-1ubuntu3.1) ...
(...)
$ ps axwZ | grep /usr/lib/ ipsec/charon | grep -v grep ipsec/charon (enforce) 1720 ? Ssl 0:00 /usr/lib/ ipsec/charon
/usr/lib/
1. https:/ /launchpad. net/ubuntu/ +source/ strongswan/ 5.8.1-1ubuntu1