group.of.nepali.translators team mailing list archive

Thread
Date

[Bug 1587886] Re: strongswan ipsec status issue with apparmor

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: ChristianEhrhardt <1587886@xxxxxxxxxxxxxxxxxx>
Date: Tue, 07 Feb 2017 14:27:37 -0000
Reply-to: Bug 1587886 <1587886@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Hi,
not sure what Neutron picked up - I'll ping one from the Cloud Archive Team.
Does it even have an own strongswan or just that from the Xenial Archive I'd guess?

For Xenial in general an SRU makes sense.

The change itself is as simple as:
https://git.launchpad.net/~paelzer/ubuntu/+source/strongswan/commit/?h=merge-zesty&id=9b3a90368229add8313f8624beee02f5840dbf0e

** Also affects: strongswan (Ubuntu Xenial)
   Importance: Undecided
       Status: New

** Changed in: strongswan (Ubuntu Xenial)
       Status: New => Triaged

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1587886

Title:
  strongswan ipsec status issue with apparmor

Status in One Hundred Papercuts:
  Triaged
Status in strongswan package in Ubuntu:
  Fix Released
Status in strongswan source package in Xenial:
  Triaged

Bug description:
  $ lsb_release -rd
  Description:	Ubuntu 16.04 LTS
  Release:	16.04

  $ apt-cache policy strongswan
  strongswan:
    Installed: 5.3.5-1ubuntu3
    Candidate: 5.3.5-1ubuntu3
    Version table:
   *** 5.3.5-1ubuntu3 500
          500 http://au.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
          500 http://au.archive.ubuntu.com/ubuntu xenial/main i386 Packages
          100 /var/lib/dpkg/status


  Looks like 'ipsec status' might be causing strongswan's charon to
  write to run/systemd/journal/dev-log instead of /run/systemd/journal
  /dev-log and apparmor doesn't like it.

  Extract from /etc/apparmor.d/abstractions/base :
    /{,var/}run/systemd/journal/dev-log w,

  With an established ipsec connection, issue the following :

  $ sudo ipsec status
  connecting to 'unix:///var/run/charon.ctl' failed: Permission denied
  failed to connect to stroke socket 'unix:///var/run/charon.ctl'

  
  $ journalctl
  ...
  Jun 01 12:15:07 ThinkCentre-M900 kernel: audit: type=1400 audit(1464785297.366:491): apparmor="DENIED" operation="connect" info="Failed name lookup - disconnected path" error=-13 profile="/usr/lib/ipsec/charon" name="run/systemd/journal/dev-log" pid=4994 comm="charon" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
  ...

  ProblemType: Bug
  DistroRelease: Ubuntu 16.04
  Package: strongswan 5.3.5-1ubuntu3
  ProcVersionSignature: Ubuntu 4.4.0-22.40-generic 4.4.8
  Uname: Linux 4.4.0-22-generic x86_64
  NonfreeKernelModules: wl
  ApportVersion: 2.20.1-0ubuntu2.1
  Architecture: amd64
  CurrentDesktop: Unity
  Date: Wed Jun  1 23:06:53 2016
  InstallationDate: Installed on 2016-05-11 (21 days ago)
  InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.1)
  PackageArchitecture: all
  SourcePackage: strongswan
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/hundredpapercuts/+bug/1587886/+subscriptions