I just test this in a container (Bionic host/4.15 and Disco guest) and I
can confirm the problem and the solution. Here is how to easily
reproduce (and workaround):
apt-get install -y strongswan
ipsec statusall # shows something == good sign
cat << EOF >> /etc/strongswan.d/zz-charon-low-priv.conf
charon {
# Name of the user the daemon changes to after startup.
user = strongswan
group = nogroup
}
EOF
service strongswan restart
ipsec statusall # shows nothing == bad sign
# Tweak apparmor profile like this:
$ diff -Naur /etc/apparmor.d/usr.lib.ipsec.charon{.orig,}
--- /etc/apparmor.d/usr.lib.ipsec.charon.orig 2019-04-25 11:21:44.939184443
+0000
+++ /etc/apparmor.d/usr.lib.ipsec.charon 2019-04-25 11:21:49.643131415
+0000
@@ -29,6 +29,7 @@
capability chown,
capability setgid,
capability setuid,
+ capability setpcap,
# libcharon-extra-plugins: xauth-pam
capability audit_write,
apparmor_parser -r -T -W /etc/apparmor.d/usr.lib.ipsec.charon
service strongswan restart
ipsec statusall # shows something == good sign
Thanks Jack for digging this down to the missing capability! If I have time,
I'll try and propose a debdiff or a merge request if nobody beats me to it ;)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1826238
Title:
apparmor doesn't allow to start with a non-root user
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1826238/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
