[Pkg-swan-devel] Bug#1040042: strongswan-starter: apparmor config hinders creation of /run/charon.ctl

Matthias Ferdinand mf+debian at mfedv.net
Sat Jul 1 16:27:14 BST 2023 

Package: strongswan-starter
Version: 5.9.8-5
Severity: normal
Tags: patch

Dear Maintainer,

for the legacy ipsec.conf variant, a /run/charon.ctl unix socket is
needed. Current apparmor settings disallow creation of the socket:

    2023-07-01T17:04:41.153694+02:00 smtp kernel: [   58.777471] kauditd_printk_skb: 19 callbacks suppressed
    2023-07-01T17:04:41.153718+02:00 smtp kernel: [   58.777479] audit: type=1400 audit(1688223881.147:30): apparmor="DENIED" operation="create" info="failed type and protocol match" error=-13 profile="/usr/lib/ipsec/stroke" pid=1566 comm="stroke" family="unix" sock_type="stream" protocol=0 requested_mask="create" denied_mask="create" addr=none
    2023-07-01T17:04:41.153694+02:00 smtp kernel: [   58.777471] kauditd_printk_skb: 19 callbacks suppressed
    2023-07-01T17:04:41.153718+02:00 smtp kernel: [   58.777479] audit: type=1400 audit(1688223881.147:30): apparmor="DENIED" operation="create" info="failed type and protocol match" error=-13 profile="/usr/lib/ipsec/stroke" pid=1566 comm="stroke" family="unix" sock_type="stream" protocol=0 requested_mask="create" denied_mask="create" addr=none


The ipsec utility then does not work:

    # ipsec statusall
    opening socket 'unix:///var/run/charon.ctl' failed: Permission denied
    failed to connect to stroke socket 'unix:///var/run/charon.ctl'


I added the following line to /etc/apparmor.d/local/usr.lib.ipsec.stroke:

  unix (create) type=stream addr=/run/charon.ctl

which allowed it to work again.

I think this should be added to /etc/apparmor.d/usr.lib.ipsec.stroke

Regards
Matthias


-- System Information:
Debian Release: 12.0
  APT prefers stable-security
  APT policy: (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.15.0-76-generic (SMP w/1 CPU thread)
Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages strongswan-starter depends on:
ii  adduser                3.134
ii  debconf [debconf-2.0]  1.5.82
ii  init-system-helpers    1.65.2
ii  libc6                  2.36-9
ii  libstrongswan          5.9.8-5
ii  sysvinit-utils         3.06-4

Versions of packages strongswan-starter recommends:
ii  strongswan-charon  5.9.8-5

strongswan-starter suggests no packages.

-- Configuration Files:
/etc/ipsec.conf changed [not included]
/etc/ipsec.secrets changed [not included]

-- debconf information:
  strongswan/x509_common_name:
  strongswan/existing_x509_certificate_filename:
  strongswan/charon: true
  strongswan/x509_country_code: AT
  strongswan/enable-oe: false
  strongswan/x509_self_signed: true
  strongswan/how_to_get_x509_certificate: create
  strongswan/runlevel_changes:
  strongswan/x509_locality_name:
  strongswan/install_x509_certificate: false
  strongswan/x509_state_name:
  strongswan/existing_x509_rootca_filename:
  strongswan/restart: true
  strongswan/x509_organizational_unit:
  strongswan/x509_email_address:
  strongswan/rsa_key_length: 2048
  strongswan/existing_x509_key_filename:
  strongswan/x509_organization_name:
-------------- next part --------------
diff --git a/apparmor.d/local/usr.lib.ipsec.stroke b/apparmor.d/local/usr.lib.ipsec.stroke
index e69de29..59a493b 100644
--- a/apparmor.d/local/usr.lib.ipsec.stroke
+++ b/apparmor.d/local/usr.lib.ipsec.stroke
@@ -0,0 +1 @@
+  unix (create) type=stream addr=/run/charon.ctl

More information about the Pkg-swan-devel mailing list