Public bug reported:
OS : Ubuntu 14.04 LTS server i386 ( with all packages obtained from Ubuntu
repos )
Kernel : Linux 3.13.0-66-generic, i686
Running StrongSwan 5.1.2.
Found it was necessary to edit the apparmor profile to permit
"strongswan-plugin-farp" to
be loaded at 'ipsec start'.
Reproducable 100% of time.
Following errors are reported in
"/var/log/charon.log" :
Nov 6 14:39:55 00[NET] opening ARP packet socket failed: Permission denied
Nov 6 14:39:55 00[LIB] plugin 'farp': failed to load - farp_plugin_create
returned NULL
"/var/log/syslog" :
Nov 6 14:39:55 VMserver1 kernel: [15238.662619] type=1400
audit(1446820795.972:29): apparmor="DENIED" operation="create"
profile="/usr/lib/ipsec/charon" pid=3143 comm="charon" family="packet"
sock_type="dgram" protocol=1544
Nov 6 14:39:55 VMserver1 kernel: [15238.677435] type=1400
audit(1446820795.988:30): apparmor="DENIED" operation="create"
profile="/usr/lib/ipsec/charon" pid=3143 comm="charon" family="packet"
sock_type="dgram" protocol=8
Proposed fix
------------
--- /etc/apparmor.d/usr.lib.ipsec.charon 2015-11-06 16:27:22.068674462
+0000
+++ /tmp/tmpvcipywp2 2015-11-06 16:46:16.552658984 +0000
@@ -27,6 +27,8 @@
# network all,
network raw,
+ network packet dgram,
+
/bin/dash mrPUx,
/etc/ipsec.*.secrets r,
/etc/ipsec.conf r,
** Affects: strongswan (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1514794
Title:
package:strongswan-plugin-farp may need apparmor config change
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1514794/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
