Hi there,
Sending again as message didn't show up in the thread.
-------- Forwarded Message --------
Subject: Re: [Bug 1514794] Re: package:strongswan-plugin-farp may need apparmor
config change
Date: Thu, 28 Jan 2016 20:26:48 +0000
From: Steven Bishop <xxxxxxxxx@xxxxxx>
To: Bug 1514794 <1514...@bugs.launchpad.net>
Hi Simon,
Thanks for your email.
Had a quick look back at the details.
I've attached the complete copy of "/etc/apparmor.d/usr.lib.ipsec.charon"
that I've got installed and running (post-the-patch).
The excerpt I took from "/var/log/syslog" at the time of the bug-report
showed that apparmor was blocking the dgram packets that the strongswan farp
plugin
was trying to generate when I had a Road-Warrior client connected to the VPN
and pinging a LAN-side client.
Until I put in the patch to "/etc/apparmor.d/usr.lib.ipsec.charon" of :
network packet dgram,
the ping wasn't getting any reply as apparmor was preventing the farp plugin
from generating the correct traffic for the ping to travel back from the
LAN-side client
andacross the VPN boundary.
Doing a quick :
$ dpkg -S /etc/apparmor.d/usr.lib.ipsec.charon
returns :
strongswan-ike: /etc/apparmor.d/usr.lib.ipsec.charon
Looking in /var/log/auth.log, I can see that I installed :
$ sudo apt-get install strongswan-ikev2
On Oct-17-2015 @ 17:30pm (BST = GMT + 1hr)
Looking at the current Trusty repo, the date on their copy is from 15-Nov-2015
so that working copy is actually newer than my bug-report.
I've pulled down a copy that particular .deb and looked at
it's copy of /etc/apparmor.d/usr.lib.ipsec.charon.
Looking at the version I've got installed I can see some noteable style
differences
in the layout of the file.
The ordering of the '#include' statements are grouped all together.
I'm guessing that the package that I "apt-get install"ed on 17-Oct-2015
has been updated on the Trusty repo since that time.
By the way, the version currently available in the current Trusty repo
has the 2 lines:
line-24:
network,
line-25:
network raw,
If I'm reading this correctly, wouldn't line-24 mean that all network traffic
is allowed.
and makes line-25 unnecessary.
[ ref :
http://wiki.apparmor.net/index.php/AppArmor_Core_Policy_Reference#Network_rules
]
As long as the current version of the Strongswan package with farp-plugin
installed
will permit a road-warrior client connected to the VPN to 'ping' a LAN-side
client
then I would be 100% happy.
Kind Regards,
Steven
On 24/01/2016 23:12, Simon Déziel wrote:
> @Steven, is this still an issue? The diff you showed includes "# network
> all," but this is not in the released version of charon's profile. Maybe
> you had a locally modified profile when you ran into the issue?
>
> Since the charon's profile in Trusty allows all networking, I don't
> think that adding "network packet dgram," makes sense. Would you mind
> confirm if the problem happened with the stock profile or not?
>
> ** Changed in: strongswan (Ubuntu)
> Status: New => Incomplete
>
** Attachment added: "usr.lib.ipsec.charon - my-patched-copy"
https://bugs.launchpad.net/bugs/1514794/+attachment/4584242/+files/usr.lib.ipsec.charon%20-%20my-patched-copy
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to strongswan in Ubuntu.
https://bugs.launchpad.net/bugs/1514794
Title:
package:strongswan-plugin-farp may need apparmor config change
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1514794/+subscriptions
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
