group.of.nepali.translators team mailing list archive
-
group.of.nepali.translators team
-
Mailing list archive
-
Message #11027
[Bug 1587886] Re: strongswan ipsec status issue with apparmor
Thanks, setting verification done.
** Tags removed: verification-needed
** Tags added: verification-done
** Also affects: strongswan (Ubuntu Yakkety)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1587886
Title:
strongswan ipsec status issue with apparmor
Status in One Hundred Papercuts:
Triaged
Status in strongswan package in Ubuntu:
Fix Released
Status in strongswan source package in Xenial:
Fix Committed
Status in strongswan source package in Yakkety:
New
Bug description:
[Impact]
* Certain strongswan based vpn setups fail, especially those based on
network-manager-l2tp or neutron-vpn-netns-wrapper
* The fix is opening up the apparmor profile slightly for charon and
stroke where paths are disconnected
[Test Case]
* valid VPN setup with network-manager-l2tp, then running "sudo ipsec
status"
or
* valid neutron-vpn setup and then
# mkdir /tmp/test
# ip netns add testns
# ip netns exec testns neutron-vpn-netns-wrapper --mount_paths "/var/run:/tmp/test" --cmd "ipsec,status"
In both cases the command fails as it can't reach charon log.
[Regression Potential]
* Since the profile for strongswan is opened up a bit (and not more
restricted) the regression potential for strongswan should be minimal.
* Yet OTOH due to the change there is a slightly higher security risk
now. That said the case seems to be exactly what the feature was
designed for [1] and there are several other packages holding a similar
flag.
[1]:
http://wiki.apparmor.net/index.php/ReleaseNotes_2_5#path_name_lookup_and_mediation_of
[Other Info]
* The part of the "valid VPN setup" both Test cases would need some more
input by the reporters if possible - to easen testing (see comments
#5+#6 and #28+#29 for the current status on tests).
* Unless this is done we have to rely more than usual on the reporters to
verify this.
$ lsb_release -rd
Description: Ubuntu 16.04 LTS
Release: 16.04
$ apt-cache policy strongswan
strongswan:
Installed: 5.3.5-1ubuntu3
Candidate: 5.3.5-1ubuntu3
Version table:
*** 5.3.5-1ubuntu3 500
500 http://au.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
500 http://au.archive.ubuntu.com/ubuntu xenial/main i386 Packages
100 /var/lib/dpkg/status
Looks like 'ipsec status' might be causing strongswan's charon to
write to run/systemd/journal/dev-log instead of /run/systemd/journal
/dev-log and apparmor doesn't like it.
Extract from /etc/apparmor.d/abstractions/base :
/{,var/}run/systemd/journal/dev-log w,
With an established ipsec connection, issue the following :
$ sudo ipsec status
connecting to 'unix:///var/run/charon.ctl' failed: Permission denied
failed to connect to stroke socket 'unix:///var/run/charon.ctl'
$ journalctl
...
Jun 01 12:15:07 ThinkCentre-M900 kernel: audit: type=1400 audit(1464785297.366:491): apparmor="DENIED" operation="connect" info="Failed name lookup - disconnected path" error=-13 profile="/usr/lib/ipsec/charon" name="run/systemd/journal/dev-log" pid=4994 comm="charon" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
...
ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: strongswan 5.3.5-1ubuntu3
ProcVersionSignature: Ubuntu 4.4.0-22.40-generic 4.4.8
Uname: Linux 4.4.0-22-generic x86_64
NonfreeKernelModules: wl
ApportVersion: 2.20.1-0ubuntu2.1
Architecture: amd64
CurrentDesktop: Unity
Date: Wed Jun 1 23:06:53 2016
InstallationDate: Installed on 2016-05-11 (21 days ago)
InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.1)
PackageArchitecture: all
SourcePackage: strongswan
UpgradeStatus: No upgrade log present (probably fresh install)
To manage notifications about this bug go to:
https://bugs.launchpad.net/hundredpapercuts/+bug/1587886/+subscriptions
