Hi Steven, Thanks for the thorough analysis.
On 2016-02-29 05:58 AM, Steven Bishop wrote: > Hi there, > > > Sending again as message didn't show up in the thread. > > > -------- Forwarded Message -------- > > Subject: Re: [Bug 1514794] Re: package:strongswan-plugin-farp may need > apparmor config change > Date: Thu, 28 Jan 2016 20:26:48 +0000 > From: Steven Bishop <xxxxxxxxx@xxxxxx> > To: Bug 1514794 <[email protected]> > > > Hi Simon, > > > Thanks for your email. > > Had a quick look back at the details. > > I've attached the complete copy of "/etc/apparmor.d/usr.lib.ipsec.charon" > that I've got installed and running (post-the-patch). > > The excerpt I took from "/var/log/syslog" at the time of the bug-report > showed that apparmor was blocking the dgram packets that the strongswan farp > plugin > was trying to generate when I had a Road-Warrior client connected to the VPN > and pinging a LAN-side client. > > > Until I put in the patch to "/etc/apparmor.d/usr.lib.ipsec.charon" of : > > network packet dgram, > > the ping wasn't getting any reply as apparmor was preventing the farp plugin > from generating the correct traffic for the ping to travel back from the > LAN-side client > andacross the VPN boundary. > > > Doing a quick : > > $ dpkg -S /etc/apparmor.d/usr.lib.ipsec.charon > > returns : > > strongswan-ike: /etc/apparmor.d/usr.lib.ipsec.charon > > > Looking in /var/log/auth.log, I can see that I installed : > > $ sudo apt-get install strongswan-ikev2 > > On Oct-17-2015 @ 17:30pm (BST = GMT + 1hr) > > > Looking at the current Trusty repo, the date on their copy is from 15-Nov-2015 > so that working copy is actually newer than my bug-report. > > I've pulled down a copy that particular .deb and looked at > it's copy of /etc/apparmor.d/usr.lib.ipsec.charon. > > Looking at the version I've got installed I can see some noteable style > differences > in the layout of the file. > The ordering of the '#include' statements are grouped all together. > > I'm guessing that the package that I "apt-get install"ed on 17-Oct-2015 > has been updated on the Trusty repo since that time. > > By the way, the version currently available in the current Trusty repo > has the 2 lines: > > line-24: > network, > line-25: > network raw, > > > If I'm reading this correctly, wouldn't line-24 mean that all network traffic > is allowed. > and makes line-25 unnecessary. That is also my understanding of those 2 rules. Even if the more specific one is IMHO not necessary, it is causing no harm either. > As long as the current version of the Strongswan package with farp-plugin > installed > will permit a road-warrior client connected to the VPN to 'ping' a LAN-side > client > then I would be 100% happy. Now that you are using the up to date profile from Trusty's repo, do you still get Apparmor denials? And is the plugin working as it should? Regards, Simon -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1514794 Title: package:strongswan-plugin-farp may need apparmor config change To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1514794/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
