Fwd: Re: [Bug 1514794] Re: package:strongswan-plugin-farp may need apparmor config change

Mon Feb 29 10:58:59 UTC 2016

Hi there,

Sending again as message didn't show up in the thread.

-------- Forwarded Message --------

Subject: Re: [Bug 1514794] Re: package:strongswan-plugin-farp may need apparmor config change
Date: Thu, 28 Jan 2016 20:26:48 +0000
From: Steven Bishop <xxxxxxxxx at xxxxxx>
To: Bug 1514794 <1514794 at bugs.launchpad.net>

Hi Simon,

Thanks for your email.

Had a quick look back at the details.

I've attached the complete copy of "/etc/apparmor.d/usr.lib.ipsec.charon"
that I've got installed and running (post-the-patch).

The excerpt I took from "/var/log/syslog" at the time of the bug-report
showed that apparmor was blocking the dgram packets that the strongswan farp plugin
was trying to generate when I had a Road-Warrior client connected to the VPN
and pinging a LAN-side client.

Until I put in the patch to "/etc/apparmor.d/usr.lib.ipsec.charon" of :

    network packet dgram,

the ping wasn't getting any reply as apparmor was preventing the farp plugin
from generating the correct traffic for the ping to travel back from the LAN-side client
andacross the VPN boundary.

Doing a quick :

$ dpkg -S /etc/apparmor.d/usr.lib.ipsec.charon

returns :

strongswan-ike: /etc/apparmor.d/usr.lib.ipsec.charon

Looking in /var/log/auth.log, I can see that I installed :

     $ sudo apt-get install strongswan-ikev2

On Oct-17-2015 @ 17:30pm (BST = GMT + 1hr)

Looking at the current Trusty repo, the date on their copy is from 15-Nov-2015
so that working copy is actually newer than my bug-report.

I've pulled down a copy that particular .deb and looked at
it's copy of /etc/apparmor.d/usr.lib.ipsec.charon.

Looking at the version I've got installed I can see some noteable style differences
in the layout of the file.
The ordering of the '#include' statements are grouped all together.

I'm guessing that the package that I "apt-get install"ed on 17-Oct-2015
has been updated on the Trusty repo since that time.

By the way, the version currently available in the current Trusty repo
has the 2 lines:

line-24:
     network,
line-25:
     network raw,

If I'm reading this correctly, wouldn't line-24 mean that all network traffic is allowed.
and makes line-25 unnecessary.

[ ref :
http://wiki.apparmor.net/index.php/AppArmor_Core_Policy_Reference#Network_rules
]

As long as the current version of the Strongswan package with farp-plugin installed
will permit a road-warrior client connected to the VPN to 'ping' a LAN-side client
then I would be 100% happy.

Kind Regards,

Steven

On 24/01/2016 23:12, Simon Déziel wrote:
> @Steven, is this still an issue? The diff you showed includes "# network
> all," but this is not in the released version of charon's profile. Maybe
> you had a locally modified profile when you ran into the issue?
>
> Since the charon's profile in Trusty allows all networking, I don't
> think that adding "network packet dgram," makes sense. Would you mind
> confirm if the problem happened with the stock profile or not?
>
> ** Changed in: strongswan (Ubuntu)
>         Status: New => Incomplete
>

** Attachment added: "usr.lib.ipsec.charon - my-patched-copy"
   https://bugs.launchpad.net/bugs/1514794/+attachment/4584242/+files/usr.lib.ipsec.charon%20-%20my-patched-copy

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to strongswan in Ubuntu.
https://bugs.launchpad.net/bugs/1514794

Title:
  package:strongswan-plugin-farp may need apparmor config change

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1514794/+subscriptions