[Bug 1514794] [NEW] package:strongswan-plugin-farp may need apparmor config change

[Steven Bishop]

Public bug reported:

OS : Ubuntu 14.04 LTS server i386  ( with all packages obtained from Ubuntu repos )
Kernel : Linux 3.13.0-66-generic, i686

Running StrongSwan 5.1.2.

Found it was necessary to edit the apparmor profile to permit "strongswan-plugin-farp" to
be loaded at 'ipsec start'.


Reproducable 100% of time.


Following errors are reported in

"/var/log/charon.log" :

Nov  6 14:39:55 00[NET] opening ARP packet socket failed: Permission denied
Nov  6 14:39:55 00[LIB] plugin 'farp': failed to load - farp_plugin_create returned NULL

"/var/log/syslog" :

Nov  6 14:39:55 VMserver1 kernel: [15238.662619] type=1400 audit(1446820795.972:29): apparmor="DENIED" operation="create" profile="/usr/lib/ipsec/charon" pid=3143 comm="charon" family="packet" sock_type="dgram" protocol=1544
Nov  6 14:39:55 VMserver1 kernel: [15238.677435] type=1400 audit(1446820795.988:30): apparmor="DENIED" operation="create" profile="/usr/lib/ipsec/charon" pid=3143 comm="charon" family="packet" sock_type="dgram" protocol=8


Proposed fix
------------

--- /etc/apparmor.d/usr.lib.ipsec.charon      2015-11-06 16:27:22.068674462 +0000
+++ /tmp/tmpvcipywp2     2015-11-06 16:46:16.552658984 +0000
@@ -27,6 +27,8 @@
 #  network all,
   network raw,

+  network packet dgram,
+
   /bin/dash mrPUx,
   /etc/ipsec.*.secrets r,
   /etc/ipsec.conf r,

** Affects: strongswan (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to strongswan in Ubuntu.
https://bugs.launchpad.net/bugs/1514794

Title:
  package:strongswan-plugin-farp may need apparmor config change

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1514794/+subscriptions