Package: strongswan-starter Version: 5.9.8-5 Severity: normal Tags: patch Dear Maintainer,
for the legacy ipsec.conf variant, a /run/charon.ctl unix socket is needed. Current apparmor settings disallow creation of the socket: 2023-07-01T17:04:41.153694+02:00 smtp kernel: [ 58.777471] kauditd_printk_skb: 19 callbacks suppressed 2023-07-01T17:04:41.153718+02:00 smtp kernel: [ 58.777479] audit: type=1400 audit(1688223881.147:30): apparmor="DENIED" operation="create" info="failed type and protocol match" error=-13 profile="/usr/lib/ipsec/stroke" pid=1566 comm="stroke" family="unix" sock_type="stream" protocol=0 requested_mask="create" denied_mask="create" addr=none 2023-07-01T17:04:41.153694+02:00 smtp kernel: [ 58.777471] kauditd_printk_skb: 19 callbacks suppressed 2023-07-01T17:04:41.153718+02:00 smtp kernel: [ 58.777479] audit: type=1400 audit(1688223881.147:30): apparmor="DENIED" operation="create" info="failed type and protocol match" error=-13 profile="/usr/lib/ipsec/stroke" pid=1566 comm="stroke" family="unix" sock_type="stream" protocol=0 requested_mask="create" denied_mask="create" addr=none The ipsec utility then does not work: # ipsec statusall opening socket 'unix:///var/run/charon.ctl' failed: Permission denied failed to connect to stroke socket 'unix:///var/run/charon.ctl' I added the following line to /etc/apparmor.d/local/usr.lib.ipsec.stroke: unix (create) type=stream addr=/run/charon.ctl which allowed it to work again. I think this should be added to /etc/apparmor.d/usr.lib.ipsec.stroke Regards Matthias -- System Information: Debian Release: 12.0 APT prefers stable-security APT policy: (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 5.15.0-76-generic (SMP w/1 CPU thread) Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages strongswan-starter depends on: ii adduser 3.134 ii debconf [debconf-2.0] 1.5.82 ii init-system-helpers 1.65.2 ii libc6 2.36-9 ii libstrongswan 5.9.8-5 ii sysvinit-utils 3.06-4 Versions of packages strongswan-starter recommends: ii strongswan-charon 5.9.8-5 strongswan-starter suggests no packages. -- Configuration Files: /etc/ipsec.conf changed [not included] /etc/ipsec.secrets changed [not included] -- debconf information: strongswan/x509_common_name: strongswan/existing_x509_certificate_filename: strongswan/charon: true strongswan/x509_country_code: AT strongswan/enable-oe: false strongswan/x509_self_signed: true strongswan/how_to_get_x509_certificate: create strongswan/runlevel_changes: strongswan/x509_locality_name: strongswan/install_x509_certificate: false strongswan/x509_state_name: strongswan/existing_x509_rootca_filename: strongswan/restart: true strongswan/x509_organizational_unit: strongswan/x509_email_address: strongswan/rsa_key_length: 2048 strongswan/existing_x509_key_filename: strongswan/x509_organization_name:
diff --git a/apparmor.d/local/usr.lib.ipsec.stroke b/apparmor.d/local/usr.lib.ipsec.stroke index e69de29..59a493b 100644 --- a/apparmor.d/local/usr.lib.ipsec.stroke +++ b/apparmor.d/local/usr.lib.ipsec.stroke @@ -0,0 +1 @@ + unix (create) type=stream addr=/run/charon.ctl