We only fixed this "by source" as Josh found in comment #1, but I really
wanted to see what is going on. So I worked a bit on a repro (which I'd
need for an SRU anyway), which is:
0. on a virtual Guest or so
1. Install strongswan (which pulls in libcharon-extra-plugins).
Then edit /etc/strongswan.d/charon/ha.conf to something like:
ha {
load = yes
local = 192.168.122.248
monitor = yes
remote = 192.168.122.94
resync = yes
segment_count = 2
}
With your IP and a peer IP (both KVM guests for me)
sudo iptables -I INPUT -i ens3 -d 10.10.10.10 -j CLUSTERIP --new
--hashmode sourceip --clustermac 01:00:5E:00:00:20 --total-nodes 2
--local-node 1
As initially reported the deny is on a subtree to the PID now:
AVC apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon"
name="/proc/11063/net/ipt_CLUSTERIP/" pid=11063 comm="charon"
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[LIB] opening directory '/proc/net/ipt_CLUSTERIP' failed: Permission denied
So some weird path remapping takes place and we need the PID path as
well (as suggested).
Tested and working - While fixing that I'll spawn also a bug to re-sync
both charon profiles (two ways to start it).
Settign this bug to open again.
** Changed in: strongswan (Ubuntu)
Status: Fix Released => Triaged
** Changed in: strongswan (Ubuntu Bionic)
Status: Confirmed => Triaged
** Changed in: strongswan (Ubuntu Cosmic)
Status: Confirmed => Triaged
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1773956
Title:
[apparmor] missing entry for CLUSTERIP (used by strongswan HA plugin)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1773956/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
