This bug was fixed in the package strongswan - 5.6.2-1ubuntu2.4
---
strongswan (5.6.2-1ubuntu2.4) bionic; urgency=medium
* fix stroke and lookip execution in containers (LP: #1780534). Binaries
need to be able to read map and execute themselves
- d/usr.lib.ipsec.lookip: add
This bug was fixed in the package strongswan - 5.6.3-1ubuntu4.1
---
strongswan (5.6.3-1ubuntu4.1) cosmic; urgency=medium
* fix stroke and lookip execution in containers (LP: #1780534). Binaries
need to be able to read map and execute themselves
- d/usr.lib.ipsec.lookip: add
Works for me as it did off of the PPAs before.
Setting both to verified.
** Tags removed: verification-needed verification-needed-bionic
verification-needed-cosmic
** Tags added: verification-done verification-done-bionic
verification-done-cosmic
--
You received this bug notification because y
Hello Jean-Daniel, or anyone else affected,
Accepted strongswan into bionic-proposed. The package will build now and
be available at
https://launchpad.net/ubuntu/+source/strongswan/5.6.2-1ubuntu2.4 in a
few hours, and then in the -proposed repository.
Please help us by testing this new package.
Hello Jean-Daniel, or anyone else affected,
Accepted strongswan into cosmic-proposed. The package will build now and
be available at
https://launchpad.net/ubuntu/+source/strongswan/5.6.3-1ubuntu4.1 in a
few hours, and then in the -proposed repository.
Please help us by testing this new package.
This bug was fixed in the package strongswan - 5.7.1-1ubuntu2
---
strongswan (5.7.1-1ubuntu2) disco; urgency=medium
* d/usr.sbin.charon-systemd: fix rule for CLUSTERIP to match effective
path (LP: #1773956)
* d/usr.lib.ipsec.charon, d/usr.sbin.charon-systemd: resync apparmor
** Merge proposal linked:
https://code.launchpad.net/~paelzer/ubuntu/+source/strongswan/+git/strongswan/+merge/360801
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1773956
Title:
[apparmor] miss
** Merge proposal linked:
https://code.launchpad.net/~paelzer/ubuntu/+source/strongswan/+git/strongswan/+merge/360800
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1773956
Title:
[apparmor] miss
** Description changed:
[Impact]
* when using the ha plugin an apparmor Deny is triggered
* Fix by allowing charon to access CLUSTERIP
[Test Case]
* get a VM to test this as it might mess up your networking
- * install strongswan (which pulls in libcharon-extra-plugins)
** Description changed:
[Impact]
- * when using the ha plugin an apparmor Deny is triggered
+ * when using the ha plugin an apparmor Deny is triggered
- * Fix by allowing charon to access CLUSTERIP
+ * Fix by allowing charon to access CLUSTERIP
[Test Case]
- * get a VM to tes
** Description changed:
- When using the HA plugin, charon-systemd try to read
- '@{PROC}/@{pid}/net/ipt_CLUSTERIP/' and to write in files into
- '@{PROC}/@{pid}/net/ipt_CLUSTERIP/'
+ [Impact]
+
+ * when using the ha plugin an apparmor Deny is triggered
+
+ * Fix by allowing charon to access C
** Merge proposal linked:
https://code.launchpad.net/~paelzer/ubuntu/+source/strongswan/+git/strongswan/+merge/360447
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1773956
Title:
[apparmor] miss
** Changed in: strongswan (Ubuntu)
Status: Triaged => In Progress
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1773956
Title:
[apparmor] missing entry for CLUSTERIP (used by strongswan HA pl
We only fixed this "by source" as Josh found in comment #1, but I really
wanted to see what is going on. So I worked a bit on a repro (which I'd
need for an SRU anyway), which is:
0. on a virtual Guest or so
1. Install strongswan (which pulls in libcharon-extra-plugins).
Then edit /etc/strongswan.
This bug was fixed in the package strongswan - 5.7.1-1ubuntu1
---
strongswan (5.7.1-1ubuntu1) disco; urgency=medium
* Merge with Debian unstable (LP: #1806401). Remaining changes:
- Clean up d/strongswan-starter.postinst: section about runlevel changes
- Clean up d/strongswa
** Changed in: strongswan (Ubuntu Cosmic)
Status: Incomplete => Confirmed
** Changed in: strongswan (Ubuntu Bionic)
Status: Incomplete => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.n
** Changed in: strongswan (Ubuntu)
Status: Triaged => In Progress
** Changed in: strongswan (Ubuntu)
Assignee: (unassigned) => Christian Ehrhardt (paelzer)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.lau
** Merge proposal linked:
https://code.launchpad.net/~paelzer/ubuntu/+source/strongswan/+git/strongswan/+merge/360004
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1773956
Title:
[apparmor] miss
Verified the paths in a KVM guest with ipt_CLUSTERIP loaded, using these
paths for the rule that I add.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1773956
Title:
[apparmor] missing entry for CLUS
Since the define in the code is without PID
#define CLUSTERIP_DIR "/proc/net/ipt_CLUSTERIP"
Due to that shouldn't the rule be more like:
@{PROC}/net/ipt_CLUSTERIP/ r,
@{PROC}/net/ipt_CLUSTERIP/* rw,
To be added to the file debian/usr.sbin.charon-systemd
--
You received this bug notification b
** Also affects: strongswan (Ubuntu Cosmic)
Importance: Undecided
Status: New
** Also affects: strongswan (Ubuntu Bionic)
Importance: Undecided
Status: New
** Changed in: strongswan (Ubuntu Bionic)
Status: New => Incomplete
** Changed in: strongswan (Ubuntu Cosmic)
The rule itself seems reasonable and safe to me.
At least for 19.04 I think I can integrate that on the merge of the latest
version.
For any SRU considerations we will need a better "steps to reproduce" as
they were requested before.
--
You received this bug notification because you are a membe
@xooloo, can you please show the actual apparmor DENIED messages from
your logs? A simple configuration setup that is enough to show them
would also be extremely helpful. I'm hoping there is no need to
establish a vpn with another node to show this issue.
--
You received this bug notification bec
Looks like here is the bug where apparmor support was added for charon-
system:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=866327
There does not seem to be any reference to ipt_CLUSTERIP there and from
the source it appears the libcharon does appear to try to write to the
referenced dir:
24 matches
Mail list logo