Public bug reported: Due to ordering of package installations, the apparmor profile for the `charon` daemon is not applied to the service on a fresh install on bionic.
For `apt install strongswan`, we get: (...) Setting up libstrongswan (5.6.2-1ubuntu2.5) ... Setting up libstrongswan-standard-plugins (5.6.2-1ubuntu2.5) ... Setting up libcharon-standard-plugins (5.6.2-1ubuntu2.5) ... Setting up strongswan-libcharon (5.6.2-1ubuntu2.5) ... Setting up strongswan-starter (5.6.2-1ubuntu2.5) ... <============ Created symlink /etc/systemd/system/multi-user.target.wants/strongswan.service → /lib/systemd/system/strongswan.service. Setting up strongswan-charon (5.6.2-1ubuntu2.5) ... <============ Setting up strongswan (5.6.2-1ubuntu2.5) ... (...) $ ps axwZ|grep /usr/lib/ipsec/charon|grep -v grep unconfined 12374 ? Ssl 0:00 /usr/lib/ipsec/charon $ sudo aa-status | tail -n 2 1 processes are unconfined but have a profile defined. /usr/lib/ipsec/charon (12374) See how strongswan-starter is setup before strongswan-charon. What happens is that -starter starts the services (including charon), but the apparmor profile is only loaded into the kernel by the strongswan- charon's postinst package, therefore too late. In focal and later, the dependencies were changed[1]: strongswan-starter: replaced "Recommends: strongswan-charon" with "Depends: strongswan-charon" strongswan-charon: replaced "Depends: strongswan-starter" with "Recommends: strongswan-starter" This has the effect that strongswan-charon will be configured already (i.e., the apparmor profile will be loaded into the kernel) by the time strongswan-starter comes along and (re)starts the services: (...) Setting up libstrongswan (5.8.2-1ubuntu3.1) ... Setting up strongswan-libcharon (5.8.2-1ubuntu3.1) ... Setting up libcharon-extauth-plugins (5.8.2-1ubuntu3.1) ... Setting up strongswan-charon (5.8.2-1ubuntu3.1) ... <============ Setting up libstrongswan-standard-plugins (5.8.2-1ubuntu3.1) ... Setting up strongswan-starter (5.8.2-1ubuntu3.1) ... <============ Created symlink /etc/systemd/system/multi-user.target.wants/strongswan-starter.service → /lib/systemd/system/strongswan-starter.service. Setting up strongswan (5.8.2-1ubuntu3.1) ... (...) $ ps axwZ | grep /usr/lib/ipsec/charon | grep -v grep /usr/lib/ipsec/charon (enforce) 1720 ? Ssl 0:00 /usr/lib/ipsec/charon 1. https://launchpad.net/ubuntu/+source/strongswan/5.8.1-1ubuntu1 ** Affects: strongswan (Ubuntu) Importance: Undecided Status: Fix Released ** Affects: strongswan (Ubuntu Bionic) Importance: Undecided Status: New ** Also affects: strongswan (Ubuntu Bionic) Importance: Undecided Status: New ** Changed in: strongswan (Ubuntu) Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1932197 Title: charon apparmor profile not applied on fresh install To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1932197/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
