Hi there,
Sending again as message didn't show up in the thread. -------- Forwarded Message -------- Subject: Re: [Bug 1514794] Re: package:strongswan-plugin-farp may need apparmor config change Date: Thu, 28 Jan 2016 20:26:48 +0000 From: Steven Bishop <xxxxxxxxx@xxxxxx> To: Bug 1514794 <1514...@bugs.launchpad.net> Hi Simon, Thanks for your email. Had a quick look back at the details. I've attached the complete copy of "/etc/apparmor.d/usr.lib.ipsec.charon" that I've got installed and running (post-the-patch). The excerpt I took from "/var/log/syslog" at the time of the bug-report showed that apparmor was blocking the dgram packets that the strongswan farp plugin was trying to generate when I had a Road-Warrior client connected to the VPN and pinging a LAN-side client. Until I put in the patch to "/etc/apparmor.d/usr.lib.ipsec.charon" of : network packet dgram, the ping wasn't getting any reply as apparmor was preventing the farp plugin from generating the correct traffic for the ping to travel back from the LAN-side client andacross the VPN boundary. Doing a quick : $ dpkg -S /etc/apparmor.d/usr.lib.ipsec.charon returns : strongswan-ike: /etc/apparmor.d/usr.lib.ipsec.charon Looking in /var/log/auth.log, I can see that I installed : $ sudo apt-get install strongswan-ikev2 On Oct-17-2015 @ 17:30pm (BST = GMT + 1hr) Looking at the current Trusty repo, the date on their copy is from 15-Nov-2015 so that working copy is actually newer than my bug-report. I've pulled down a copy that particular .deb and looked at it's copy of /etc/apparmor.d/usr.lib.ipsec.charon. Looking at the version I've got installed I can see some noteable style differences in the layout of the file. The ordering of the '#include' statements are grouped all together. I'm guessing that the package that I "apt-get install"ed on 17-Oct-2015 has been updated on the Trusty repo since that time. By the way, the version currently available in the current Trusty repo has the 2 lines: line-24: network, line-25: network raw, If I'm reading this correctly, wouldn't line-24 mean that all network traffic is allowed. and makes line-25 unnecessary. [ ref : http://wiki.apparmor.net/index.php/AppArmor_Core_Policy_Reference#Network_rules ] As long as the current version of the Strongswan package with farp-plugin installed will permit a road-warrior client connected to the VPN to 'ping' a LAN-side client then I would be 100% happy. Kind Regards, Steven On 24/01/2016 23:12, Simon Déziel wrote: > @Steven, is this still an issue? The diff you showed includes "# network > all," but this is not in the released version of charon's profile. Maybe > you had a locally modified profile when you ran into the issue? > > Since the charon's profile in Trusty allows all networking, I don't > think that adding "network packet dgram," makes sense. Would you mind > confirm if the problem happened with the stock profile or not? > > ** Changed in: strongswan (Ubuntu) > Status: New => Incomplete > ** Attachment added: "usr.lib.ipsec.charon - my-patched-copy" https://bugs.launchpad.net/bugs/1514794/+attachment/4584242/+files/usr.lib.ipsec.charon%20-%20my-patched-copy -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1514794 Title: package:strongswan-plugin-farp may need apparmor config change To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1514794/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs