Ubuntu
strongswan package

package:strongswan-plugin-farp may need apparmor config change

Asked by Steven Bishop

OS : Ubuntu 14.04 LTS server i386 ( with all packages obtained from Ubuntu repos )
Kernel : Linux 3.13.0-66-generic, i686

Running StrongSwan 5.1.2.

Found it was necessary to edit the apparmor profile to permit "strongswan-plugin-farp" to
be loaded at 'ipsec start'.

Reproducable 100% of time.

Following errors are reported in

"/var/log/charon.log" :

Nov 6 14:39:55 00[NET] opening ARP packet socket failed: Permission denied
Nov 6 14:39:55 00[LIB] plugin 'farp': failed to load - farp_plugin_create returned NULL

"/var/log/syslog" :

Nov 6 14:39:55 VMserver1 kernel: [15238.662619] type=1400 audit(1446820795.972:29): apparmor="DENIED" operation="create" profile="/usr/lib/ipsec/charon" pid=3143 comm="charon" family="packet" sock_type="dgram" protocol=1544
Nov 6 14:39:55 VMserver1 kernel: [15238.677435] type=1400 audit(1446820795.988:30): apparmor="DENIED" operation="create" profile="/usr/lib/ipsec/charon" pid=3143 comm="charon" family="packet" sock_type="dgram" protocol=8

Proposed fix
------------

--- /etc/apparmor.d/usr.lib.ipsec.charon 2015-11-06 16:27:22.068674462 +0000
+++ /tmp/tmpvcipywp2 2015-11-06 16:46:16.552658984 +0000
@@ -27,6 +27,8 @@
 # network all,
   network raw,

+ network packet dgram,
+
   /bin/dash mrPUx,
   /etc/ipsec.*.secrets r,
   /etc/ipsec.conf r,

Question information

Language:
English Edit question
Status:
Answered
For:
Ubuntu strongswan Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
actionparsnip (andrew-woodhead666) said : 		#1

I suggest you report a bug

Can you help with this problem?

Provide an answer of your own, or ask Steven Bishop for more information if necessary.

To post a message you must log in.