Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1040042: strongswan-starter: apparmor config hinders creation of /run/charon.ctl
111 views
Skip to first unread message
Matthias Ferdinand
Jul 1, 2023, 11:52:05 AM7/1/23
to
Package: strongswan-starter
Version: 5.9.8-5
Severity: normal
Tags: patch
Dear Maintainer,
for the legacy ipsec.conf variant, a /run/charon.ctl unix socket is
needed. Current apparmor settings disallow creation of the socket:
2023-07-01T17:04:41.153694+02:00 smtp kernel: [ 58.777471] kauditd_printk_skb: 19 callbacks suppressed
2023-07-01T17:04:41.153718+02:00 smtp kernel: [ 58.777479] audit: type=1400 audit(1688223881.147:30): apparmor="DENIED" operation="create" info="failed type and protocol match" error=-13 profile="/usr/lib/ipsec/stroke" pid=1566 comm="stroke" family="unix" sock_type="stream" protocol=0 requested_mask="create" denied_mask="create" addr=none
2023-07-01T17:04:41.153694+02:00 smtp kernel: [ 58.777471] kauditd_printk_skb: 19 callbacks suppressed
2023-07-01T17:04:41.153718+02:00 smtp kernel: [ 58.777479] audit: type=1400 audit(1688223881.147:30): apparmor="DENIED" operation="create" info="failed type and protocol match" error=-13 profile="/usr/lib/ipsec/stroke" pid=1566 comm="stroke" family="unix" sock_type="stream" protocol=0 requested_mask="create" denied_mask="create" addr=none
The ipsec utility then does not work:
# ipsec statusall
opening socket 'unix:///var/run/charon.ctl' failed: Permission denied
failed to connect to stroke socket 'unix:///var/run/charon.ctl'
I added the following line to /etc/apparmor.d/local/usr.lib.ipsec.stroke:
unix (create) type=stream addr=/run/charon.ctl
which allowed it to work again.
I think this should be added to /etc/apparmor.d/usr.lib.ipsec.stroke
Regards
Matthias
-- System Information:
Debian Release: 12.0
APT prefers stable-security
APT policy: (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.15.0-76-generic (SMP w/1 CPU thread)
Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages strongswan-starter depends on:
ii adduser 3.134
ii debconf [debconf-2.0] 1.5.82
ii init-system-helpers 1.65.2
ii libc6 2.36-9
ii libstrongswan 5.9.8-5
ii sysvinit-utils 3.06-4
Versions of packages strongswan-starter recommends:
ii strongswan-charon 5.9.8-5
strongswan-starter suggests no packages.
-- Configuration Files:
/etc/ipsec.conf changed [not included]
/etc/ipsec.secrets changed [not included]
-- debconf information:
strongswan/x509_common_name:
strongswan/existing_x509_certificate_filename:
strongswan/charon: true
strongswan/x509_country_code: AT
strongswan/enable-oe: false
strongswan/x509_self_signed: true
strongswan/how_to_get_x509_certificate: create
strongswan/runlevel_changes:
strongswan/x509_locality_name:
strongswan/install_x509_certificate: false
strongswan/x509_state_name:
strongswan/existing_x509_rootca_filename:
strongswan/restart: true
strongswan/x509_organizational_unit:
strongswan/x509_email_address:
strongswan/rsa_key_length: 2048
strongswan/existing_x509_key_filename:
strongswan/x509_organization_name:
Version: 5.9.8-5
Severity: normal
Tags: patch
Dear Maintainer,
for the legacy ipsec.conf variant, a /run/charon.ctl unix socket is
needed. Current apparmor settings disallow creation of the socket:
2023-07-01T17:04:41.153694+02:00 smtp kernel: [ 58.777471] kauditd_printk_skb: 19 callbacks suppressed
2023-07-01T17:04:41.153718+02:00 smtp kernel: [ 58.777479] audit: type=1400 audit(1688223881.147:30): apparmor="DENIED" operation="create" info="failed type and protocol match" error=-13 profile="/usr/lib/ipsec/stroke" pid=1566 comm="stroke" family="unix" sock_type="stream" protocol=0 requested_mask="create" denied_mask="create" addr=none
2023-07-01T17:04:41.153694+02:00 smtp kernel: [ 58.777471] kauditd_printk_skb: 19 callbacks suppressed
2023-07-01T17:04:41.153718+02:00 smtp kernel: [ 58.777479] audit: type=1400 audit(1688223881.147:30): apparmor="DENIED" operation="create" info="failed type and protocol match" error=-13 profile="/usr/lib/ipsec/stroke" pid=1566 comm="stroke" family="unix" sock_type="stream" protocol=0 requested_mask="create" denied_mask="create" addr=none
The ipsec utility then does not work:
# ipsec statusall
opening socket 'unix:///var/run/charon.ctl' failed: Permission denied
failed to connect to stroke socket 'unix:///var/run/charon.ctl'
I added the following line to /etc/apparmor.d/local/usr.lib.ipsec.stroke:
unix (create) type=stream addr=/run/charon.ctl
which allowed it to work again.
I think this should be added to /etc/apparmor.d/usr.lib.ipsec.stroke
Regards
Matthias
-- System Information:
Debian Release: 12.0
APT prefers stable-security
APT policy: (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.15.0-76-generic (SMP w/1 CPU thread)
Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages strongswan-starter depends on:
ii adduser 3.134
ii debconf [debconf-2.0] 1.5.82
ii init-system-helpers 1.65.2
ii libc6 2.36-9
ii libstrongswan 5.9.8-5
ii sysvinit-utils 3.06-4
Versions of packages strongswan-starter recommends:
ii strongswan-charon 5.9.8-5
strongswan-starter suggests no packages.
-- Configuration Files:
/etc/ipsec.conf changed [not included]
/etc/ipsec.secrets changed [not included]
-- debconf information:
strongswan/x509_common_name:
strongswan/existing_x509_certificate_filename:
strongswan/charon: true
strongswan/x509_country_code: AT
strongswan/enable-oe: false
strongswan/x509_self_signed: true
strongswan/how_to_get_x509_certificate: create
strongswan/runlevel_changes:
strongswan/x509_locality_name:
strongswan/install_x509_certificate: false
strongswan/x509_state_name:
strongswan/existing_x509_rootca_filename:
strongswan/restart: true
strongswan/x509_organizational_unit:
strongswan/x509_email_address:
strongswan/rsa_key_length: 2048
strongswan/existing_x509_key_filename:
strongswan/x509_organization_name:
Matthias Ferdinand
Jul 1, 2023, 12:40:04 PM7/1/23
to
Hi,
sorry, this bug is probably invalid.
With current bookworm kernel (6.1.27) the problem does not happen.
For some reason, the machine booted to an older Ubuntu kernel (5.15).
With this kernel, the workaround was required. On 6.1.27, no workaround
is needed.
Regards
Matthias Ferdinand
sorry, this bug is probably invalid.
With current bookworm kernel (6.1.27) the problem does not happen.
For some reason, the machine booted to an older Ubuntu kernel (5.15).
With this kernel, the workaround was required. On 6.1.27, no workaround
is needed.
Regards
Matthias Ferdinand
0 new messages