[Bug 1587886] [NEW] strongswan ipsec status issue with apparmor

Wed, 01 Jun 2016 06:26:21 -0700 

Public bug reported:

$ lsb_release -rd
Description:    Ubuntu 16.04 LTS
Release:        16.04

$ apt-cache policy strongswan
strongswan:
  Installed: 5.3.5-1ubuntu3
  Candidate: 5.3.5-1ubuntu3
  Version table:
 *** 5.3.5-1ubuntu3 500
        500 http://au.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
        500 http://au.archive.ubuntu.com/ubuntu xenial/main i386 Packages
        100 /var/lib/dpkg/status


Looks like 'ipsec status' might be causing strongswan's charon to write
to run/systemd/journal/dev-log instead of /run/systemd/journal/dev-log
and apparmor doesn't like it.

Extract from /etc/apparmor.d/abstractions/base :
  /{,var/}run/systemd/journal/dev-log w,

With an established ipsec connection, issue the following :

$ sudo ipsec status
connecting to 'unix:///var/run/charon.ctl' failed: Permission denied
failed to connect to stroke socket 'unix:///var/run/charon.ctl'


$ journalctl
...
Jun 01 12:15:07 ThinkCentre-M900 kernel: audit: type=1400 
audit(1464785297.366:491): apparmor="DENIED" operation="connect" info="Failed 
name lookup - disconnected path" error=-13 profile="/usr/lib/ipsec/charon" 
name="run/systemd/journal/dev-log" pid=4994 comm="charon" requested_mask="w" 
denied_mask="w" fsuid=0 ouid=0
...

ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: strongswan 5.3.5-1ubuntu3
ProcVersionSignature: Ubuntu 4.4.0-22.40-generic 4.4.8
Uname: Linux 4.4.0-22-generic x86_64
NonfreeKernelModules: wl
ApportVersion: 2.20.1-0ubuntu2.1
Architecture: amd64
CurrentDesktop: Unity
Date: Wed Jun  1 23:06:53 2016
InstallationDate: Installed on 2016-05-11 (21 days ago)
InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.1)
PackageArchitecture: all
SourcePackage: strongswan
UpgradeStatus: No upgrade log present (probably fresh install)

** Affects: strongswan (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: apport-bug strongswan xenial

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1587886

Title:
  strongswan ipsec status issue with apparmor

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1587886/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to