I just test this in a container (Bionic host/4.15 and Disco guest) and I
can confirm the problem and the solution. Here is how to easily
reproduce (and workaround):

  apt-get install -y strongswan

  ipsec statusall # shows something == good sign

  cat << EOF >> /etc/strongswan.d/zz-charon-low-priv.conf
charon {
  # Name of the user the daemon changes to after startup.
  user = strongswan
  group = nogroup
}
EOF

  service strongswan restart

  ipsec statusall  # shows nothing == bad sign


  # Tweak apparmor profile like this:

  $ diff -Naur /etc/apparmor.d/usr.lib.ipsec.charon{.orig,}
--- /etc/apparmor.d/usr.lib.ipsec.charon.orig   2019-04-25 11:21:44.939184443 
+0000
+++ /etc/apparmor.d/usr.lib.ipsec.charon        2019-04-25 11:21:49.643131415 
+0000
@@ -29,6 +29,7 @@
   capability chown,
   capability setgid,
   capability setuid,
+  capability setpcap,
 
   # libcharon-extra-plugins: xauth-pam
   capability audit_write,

  apparmor_parser -r -T -W /etc/apparmor.d/usr.lib.ipsec.charon

  service strongswan restart

  ipsec statusall # shows something == good sign


Thanks Jack for digging this down to the missing capability! If I have time, 
I'll try and propose a debdiff or a merge request if nobody beats me to it ;)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1826238

Title:
  apparmor doesn't allow to start with a non-root user

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1826238/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to