This bug was fixed in the package strongswan - 5.7.2-1ubuntu1
---
strongswan (5.7.2-1ubuntu1) eoan; urgency=medium
[ Christian Ehrhardt ]
* Merge with Debian unstable. Remaining changes:
- Clean up d/strongswan-starter.postinst: section about runlevel changes
- Clean up
FYI fix in Eoan-proposed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1826238
Title:
apparmor doesn't allow to start with a non-root user
To manage notifications about this bug go to:
** Merge proposal linked:
https://code.launchpad.net/~paelzer/ubuntu/+source/strongswan/+git/strongswan/+merge/366649
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1826238
Title:
apparmor
Those dbus rules feel like something that should go in an abstraction.
That said, neither strongswan nor strongswan-swanctl use the dynamicuser
feature of systemd so it is just noise, or at least, that's my
understanding.
--
You received this bug notification because you are a member of Ubuntu
Another bug in the profile
[mentioned](https://github.com/trailofbits/algo/pull/1405#issuecomment-487079035)
by @demyers
Apr 26 13:53:37 vpn5 kernel: audit: type=1107 audit(1556286817.984:33): pid=766
uid=103 auid=4294967295 ses=4294967295 msg='apparmor="DENIED"
operation="dbus_method_call"
FYI - I started the merge as I have realized I'd want to do that -before-
resubmission of our Delta to Debian for bug 927961.
Therefore this should soon be in Eoan unless the merge turns out to be more
complex than usual.
--
You received this bug notification because you are a member of Ubuntu
Thanks Simon,
as discussed this will be added (or if accepted by then picked up) at the
strongswan merge for Eoan. But that has a few things it has to wait on first so
this will take a while.
Fortunately you added the great apparmor override help in comment #4 which
should help people affected
** Changed in: strongswan (Debian)
Status: Unknown => New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1826238
Title:
apparmor doesn't allow to start with a non-root user
To manage
A better workaround until this is officially fixed might be to use the
local/ includes like this:
echo ' capability setpcap,' >> /etc/apparmor.d/local/usr.lib.ipsec.charon
echo ' capability setpcap,' >> /etc/apparmor.d/local/usr.sbin.charon-systemd
apparmor_parser -r -T -W
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: strongswan (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1826238
Title:
I just test this in a container (Bionic host/4.15 and Disco guest) and I
can confirm the problem and the solution. Here is how to easily
reproduce (and workaround):
apt-get install -y strongswan
ipsec statusall # shows something == good sign
cat << EOF >>
** Description changed:
Hello,
I'm using 19.04 (Disco Dingo), kernel: 5.0.0-13-generic amd64
packages:
ii libcharon-standard-plugins 5.7.1-1ubuntu2
ii libstrongswan 5.7.1-1ubuntu2
ii libstrongswan-standard-plugins 5.7.1-1ubuntu2
ii strongswan
CAP_SETPCAP should be allowed in the profile
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1826238
Title:
apparmor doesn't allow to start with a non-root user
To manage notifications about this
13 matches
Mail list logo