I just test this in a container (Bionic host/4.15 and Disco guest) and I can confirm the problem and the solution. Here is how to easily reproduce (and workaround):
apt-get install -y strongswan ipsec statusall # shows something == good sign cat << EOF >> /etc/strongswan.d/zz-charon-low-priv.conf charon { # Name of the user the daemon changes to after startup. user = strongswan group = nogroup } EOF service strongswan restart ipsec statusall # shows nothing == bad sign # Tweak apparmor profile like this: $ diff -Naur /etc/apparmor.d/usr.lib.ipsec.charon{.orig,} --- /etc/apparmor.d/usr.lib.ipsec.charon.orig 2019-04-25 11:21:44.939184443 +0000 +++ /etc/apparmor.d/usr.lib.ipsec.charon 2019-04-25 11:21:49.643131415 +0000 @@ -29,6 +29,7 @@ capability chown, capability setgid, capability setuid, + capability setpcap, # libcharon-extra-plugins: xauth-pam capability audit_write, apparmor_parser -r -T -W /etc/apparmor.d/usr.lib.ipsec.charon service strongswan restart ipsec statusall # shows something == good sign Thanks Jack for digging this down to the missing capability! If I have time, I'll try and propose a debdiff or a merge request if nobody beats me to it ;) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1826238 Title: apparmor doesn't allow to start with a non-root user To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1826238/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs