bionic verification
reproducing the bug
strongswan was just installed:
ubuntu@bionic-strongswan-apparmor-1932197:~$ apt-cache policy strongswan-charon
strongswan-charon:
Installed: 5.6.2-1ubuntu2.5
Candidate: 5.6.2-1ubuntu2.5
Version table:
*** 5.6.2-1ubuntu2.5 500
500 http://br.archive.ubuntu.com/ubuntu bionic-updates/main amd64
Packages
100 /var/lib/dpkg/status
5.6.2-1ubuntu2.3 500
500 http://br.archive.ubuntu.com/ubuntu bionic-security/main amd64
Packages
5.6.2-1ubuntu2 500
500 http://br.archive.ubuntu.com/ubuntu bionic/main amd64 Packages
charon is running unconfined:
ubuntu@bionic-strongswan-apparmor-1932197:~$ ps axwZ | grep
/usr/lib/ipsec/charon | grep -v grep
unconfined 1898 ? Ssl 0:00 /usr/lib/ipsec/charon
I now purge it all:
ubuntu@bionic-strongswan-apparmor-1932197:~$ sudo apt purge strongswan
--autoremove
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages will be REMOVED:
libcharon-standard-plugins* libstrongswan* libstrongswan-standard-plugins*
strongswan* strongswan-charon* strongswan-libcharon* strongswan-starter*
0 upgraded, 0 newly installed, 7 to remove and 36 not upgraded.
(...)
Confirm it's not running:
ubuntu@bionic-strongswan-apparmor-1932197:~$ ps axwZ | grep
/usr/lib/ipsec/charon | grep -v grep
ubuntu@bionic-strongswan-apparmor-1932197:~$
The apparmor profiles are still loaded in the kernel, so I remove them too:
ubuntu@bionic-strongswan-apparmor-1932197:~$ sudo aa-status | grep ipsec
/usr/lib/ipsec/charon
/usr/lib/ipsec/stroke
ubuntu@bionic-strongswan-apparmor-1932197:~$ echo "profile
/usr/lib/ipsec/charon {}" | sudo apparmor_parser -R
ubuntu@bionic-strongswan-apparmor-1932197:~$ echo "profile
/usr/lib/ipsec/stroke {}" | sudo apparmor_parser -R
ubuntu@bionic-strongswan-apparmor-1932197:~$ sudo aa-status | grep ipsec
ubuntu@bionic-strongswan-apparmor-1932197:~$
And now I install the packages from bionic-proposed:
ubuntu@bionic-strongswan-apparmor-1932197:~$ sudo apt install strongswan
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
libcharon-standard-plugins libstrongswan libstrongswan-standard-plugins
strongswan-charon strongswan-libcharon strongswan-starter
Suggested packages:
libstrongswan-extra-plugins libcharon-extra-plugins
The following NEW packages will be installed:
libcharon-standard-plugins libstrongswan libstrongswan-standard-plugins
strongswan strongswan-charon strongswan-libcharon strongswan-starter
0 upgraded, 7 newly installed, 0 to remove and 54 not upgraded.
Need to get 868 kB of archives.
After this operation, 3871 kB of additional disk space will be used.
Do you want to continue? [Y/n]
Confirming I have the one from proposed installed:
ubuntu@bionic-strongswan-apparmor-1932197:~$ apt-cache policy strongswan-charon
strongswan-charon:
Installed: 5.6.2-1ubuntu2.6
Candidate: 5.6.2-1ubuntu2.6
Version table:
*** 5.6.2-1ubuntu2.6 500
500 http://br.archive.ubuntu.com/ubuntu bionic-proposed/main amd64
Packages
100 /var/lib/dpkg/status
5.6.2-1ubuntu2.5 500
500 http://br.archive.ubuntu.com/ubuntu bionic-updates/main amd64
Packages
(...)
And charon is confined:
ubuntu@bionic-strongswan-apparmor-1932197:~$ ps axwZ | grep
/usr/lib/ipsec/charon | grep -v grep
/usr/lib/ipsec/charon (enforce) 3093 ? Ssl 0:00 /usr/lib/ipsec/charon
Bionic verification succeeded.
** Tags removed: verification-needed-bionic
** Tags added: verification-done-bionic
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1932197
Title:
charon apparmor profile not applied on fresh install
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1932197/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
