Fwd: Re: [Bug 1514794] Re: package:strongswan-plugin-farp may need apparmor config change

Mon Feb 29 14:40:07 UTC 2016

Hi Steven,

Thanks for the thorough analysis.

On 2016-02-29 05:58 AM, Steven Bishop wrote:
> Hi there,
> 
> 
> Sending again as message didn't show up in the thread.
> 
> 
> -------- Forwarded Message --------
> 
> Subject: Re: [Bug 1514794] Re: package:strongswan-plugin-farp may need apparmor config change
> Date: Thu, 28 Jan 2016 20:26:48 +0000
> From: Steven Bishop <xxxxxxxxx at xxxxxx>
> To: Bug 1514794 <1514794 at bugs.launchpad.net>
> 
> 
> Hi Simon,
> 
> 
> Thanks for your email.
> 
> Had a quick look back at the details.
> 
> I've attached the complete copy of "/etc/apparmor.d/usr.lib.ipsec.charon"
> that I've got installed and running (post-the-patch).
> 
> The excerpt I took from "/var/log/syslog" at the time of the bug-report
> showed that apparmor was blocking the dgram packets that the strongswan farp plugin
> was trying to generate when I had a Road-Warrior client connected to the VPN
> and pinging a LAN-side client.
> 
> 
> Until I put in the patch to "/etc/apparmor.d/usr.lib.ipsec.charon" of :
> 
>     network packet dgram,
> 
> the ping wasn't getting any reply as apparmor was preventing the farp plugin
> from generating the correct traffic for the ping to travel back from the LAN-side client
> andacross the VPN boundary.
> 
> 
> Doing a quick :
> 
> $ dpkg -S /etc/apparmor.d/usr.lib.ipsec.charon
> 
> returns :
> 
> strongswan-ike: /etc/apparmor.d/usr.lib.ipsec.charon
> 
> 
> Looking in /var/log/auth.log, I can see that I installed :
> 
>      $ sudo apt-get install strongswan-ikev2
> 
> On Oct-17-2015 @ 17:30pm (BST = GMT + 1hr)
> 
> 
> Looking at the current Trusty repo, the date on their copy is from 15-Nov-2015
> so that working copy is actually newer than my bug-report.
> 
> I've pulled down a copy that particular .deb and looked at
> it's copy of /etc/apparmor.d/usr.lib.ipsec.charon.
> 
> Looking at the version I've got installed I can see some noteable style differences
> in the layout of the file.
> The ordering of the '#include' statements are grouped all together.
> 
> I'm guessing that the package that I "apt-get install"ed on 17-Oct-2015
> has been updated on the Trusty repo since that time.
> 
> By the way, the version currently available in the current Trusty repo
> has the 2 lines:
> 
> line-24:
>      network,
> line-25:
>      network raw,
> 
> 
> If I'm reading this correctly, wouldn't line-24 mean that all network traffic is allowed.
> and makes line-25 unnecessary.

That is also my understanding of those 2 rules. Even if the more
specific one is IMHO not necessary, it is causing no harm either.

> As long as the current version of the Strongswan package with farp-plugin installed
> will permit a road-warrior client connected to the VPN to 'ping' a LAN-side client
> then I would be 100% happy.

Now that you are using the up to date profile from Trusty's repo, do you
still get Apparmor denials? And is the plugin working as it should?

Regards,
Simon

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to strongswan in Ubuntu.
https://bugs.launchpad.net/bugs/1514794

Title:
  package:strongswan-plugin-farp may need apparmor config change

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1514794/+subscriptions