Public bug reported:
At some conditions AppArmor Deny access of /usr/lib/ipsec/charon to a
/dev/tty, which causes a daemon restart:
Feb 24 07:06:04 vpn-01 kernel: [548017.000283] type=1400
audit(1456297564.902:21): apparmor="DENIED" operation="open"
profile="/usr/lib/ipsec/charon" name="/dev/tty" pid=24255 comm="charon"
requested_mask="rw" denied_mask="rw" fsuid=0 ouid=0
Feb 24 07:06:10 vpn-01 charon: 00[DMN] Starting IKE charon daemon
(strongSwan 5.1.2, Linux 3.13.0-48-generic, x86_64)
I'm not sure why charon request RW access to /dev/tty, but it was
started after installing and configuring xauth-eap plugin (it allows EAP
plugin to be used as backend for XAuth credential verification).
When strongswan is used with a Radius backend it creates additional
issues besides clients reconnection (radius continues to think that all
users are still logged in).
# lsb_release -rd
Description: Ubuntu 14.04.3 LTS
Release: 14.04
# apt-cache policy strongswan
strongswan:
Installed: 5.1.2-0ubuntu2.4
Candidate: 5.1.2-0ubuntu2.4
Version table:
*** 5.1.2-0ubuntu2.4 0
500 http://us-west-2.ec2.archive.ubuntu.com/ubuntu/ trusty-updates/main
amd64 Packages
500 http://security.ubuntu.com/ubuntu/ trusty-security/main amd64
Packages
100 /var/lib/dpkg/status
5.1.2-0ubuntu2 0
500 http://us-west-2.ec2.archive.ubuntu.com/ubuntu/ trusty/main amd64
Packages
# apt-cache policy strongswan-plugin-xauth-eap
strongswan-plugin-xauth-eap:
Installed: 5.1.2-0ubuntu2.4
Candidate: 5.1.2-0ubuntu2.4
Version table:
*** 5.1.2-0ubuntu2.4 0
500 http://us-west-2.ec2.archive.ubuntu.com/ubuntu/
trusty-updates/universe amd64 Packages
500 http://security.ubuntu.com/ubuntu/ trusty-security/universe amd64
Packages
100 /var/lib/dpkg/status
5.1.2-0ubuntu2 0
500 http://us-west-2.ec2.archive.ubuntu.com/ubuntu/ trusty/universe
amd64 Packages
# apt-cache policy apparmor
apparmor:
Installed: 2.8.95~2430-0ubuntu5.3
Candidate: 2.8.95~2430-0ubuntu5.3
Version table:
*** 2.8.95~2430-0ubuntu5.3 0
500 http://us-west-2.ec2.archive.ubuntu.com/ubuntu/ trusty-updates/main
amd64 Packages
100 /var/lib/dpkg/status
2.8.95~2430-0ubuntu5.1 0
500 http://security.ubuntu.com/ubuntu/ trusty-security/main amd64
Packages
2.8.95~2430-0ubuntu5 0
500 http://us-west-2.ec2.archive.ubuntu.com/ubuntu/ trusty/main amd64
Packages
Right now I've disabled AppArmor for Strongswan and continue to monitor this:
# sudo apparmor_parser -R /etc/apparmor.d/usr.lib.ipsec.charon
# sudo apparmor_parser -R /etc/apparmor.d/usr.lib.ipsec.stroke
# sudo ln -s /etc/apparmor.d/usr.lib.ipsec.charon /etc/apparmor.d/disable/
# sudo ln -s /etc/apparmor.d/usr.lib.ipsec.stroke /etc/apparmor.d/disable/
# sudo apparmor_status
apparmor module is loaded.
5 profiles are loaded.
5 profiles are in enforce mode.
/sbin/dhclient
/usr/lib/NetworkManager/nm-dhcp-client.action
/usr/lib/connman/scripts/dhclient-script
/usr/sbin/named
/usr/sbin/tcpdump
0 profiles are in complain mode.
2 processes have profiles defined.
2 processes are in enforce mode.
/sbin/dhclient (697)
/usr/sbin/named (1097)
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.
# sudo cat /etc/apparmor.d/usr.lib.ipsec.charon
# ------------------------------------------------------------------
#
# Copyright (C) 2013 Canonical Ltd.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# Author: Jonathan Davies <jonathan.dav...@canonical.com>
#
# ------------------------------------------------------------------
#include <tunables/global>
/usr/lib/ipsec/charon {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/authentication>
#include <abstractions/openssl>
capability net_admin,
capability net_raw,
network,
network raw,
/bin/dash rmPUx,
/etc/ipsec.conf r,
/etc/ipsec.secrets r,
/etc/ipsec.*.secrets r,
/etc/ipsec.d/ r,
/etc/ipsec.d/** r,
/etc/strongswan.conf r,
/etc/strongswan.d/ r,
/etc/strongswan.d/** r,
/etc/tnc_config r,
/proc/sys/net/core/xfrm_acq_expires w,
/run/charon.* rw,
/usr/lib/ipsec/charon rmix,
/usr/lib/ipsec/imcvs/ r,
/usr/lib/ipsec/imcvs/** rm,
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.lib.ipsec.charon>
}
** Affects: strongswan (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to strongswan in Ubuntu.
https://bugs.launchpad.net/bugs/1549436
Title:
AppArmor kills StronSwan daemon 'charon'
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1549436/+subscriptions
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
