[Bug 1875504] Re: apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/swanctl" name="/dev/net/tun" pid=490601 comm="swanctl" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0

[Expired for strongswan (Ubuntu) because there has been no activity for 60 days.] ** Changed in: strongswan (Ubuntu) Status: Incomplete => Expired -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu.

[Bug 1875504] Re: apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/swanctl" name="/dev/net/tun" pid=490601 comm="swanctl" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0

Hi Philipp, Thank you for taking the time to file a bug report. I was not able to reproduce the issue reported by you using the default configuration provided by the packages. Could you please provide your configuration files? They should live in: - /etc/strongswan.d/ - /etc/swanctl/ -

[Bug 1875504] Re: apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/swanctl" name="/dev/net/tun" pid=490601 comm="swanctl" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0

That file is not relevant for swanctl (unless it was manually included, check the main strongswan.conf file). Check the output of `swanctl --help` (lists the plugins), use strace to see when exactly that access happens. -- You received this bug notification because you are a member of Ubuntu

[Bug 1875504] Re: apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/swanctl" name="/dev/net/tun" pid=490601 comm="swanctl" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0

# grep -R kernel-libipsec /etc/strongswan.* /etc/swanctl/ /etc/strongswan.d/charon/kernel-libipsec.conf:kernel-libipsec { The whole file /etc/strongswan.d/charon/kernel-libipsec.conf: kernel-libipsec { load = no } Anything else that I could check? -- You received this bug notification

[Bug 1875504] Re: apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/swanctl" name="/dev/net/tun" pid=490601 comm="swanctl" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0

There are only three components in strongSwan that open TUN devices, charon-xpc (on macOS), the kernel-pfroute plugin (also not on Linux but macOS and *BSD) and kernel-libipsec, as pointed out by Simon. However, swanctl has no business loading kernel plugins (it doesn't by default), as it is no

[Bug 1875504] Re: apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/swanctl" name="/dev/net/tun" pid=490601 comm="swanctl" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0

If the libipsec plugin is not loaded then I cannot explain why it would try to use /dev/net/tun so it's hard to make a case of extending the profile. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu.

[Bug 1875504] Re: apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/swanctl" name="/dev/net/tun" pid=490601 comm="swanctl" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0

No, I'm not running kernel-libipsec. My configured ipsec connections work despite the apparmor deny action. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1875504 Title: apparmor="DENIED"

[Bug 1875504] Re: apparmor="DENIED" operation="file_inherit" profile="/usr/sbin/swanctl" name="/dev/net/tun" pid=490601 comm="swanctl" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0

I suspect you using kernel-libipsec which would explain why you are running into this, right? Could you please try the following: cat << EOF | sudo tee -a /etc/apparmor.d/local/usr.sbin.swanctl # libcharon-extra-plugins: kernel-libipsec /dev/net/tun rw, EOF sudo apparmor_parser