apparmor doesn't allow to start with a non-root user

CAP_SETPCAP should be allowed in the profile

I just test this in a container (Bionic host/4.15 and Disco guest) and I can confirm the problem and the solution. Here is how to easily reproduce (and workaround):

  apt-get install -y strongswan

  ipsec statusall # shows something == good sign

  cat << EOF >> /etc/strongswan.d/zz-charon-low-priv.conf
charon {
  # Name of the user the daemon changes to after startup.
  user = strongswan
  group = nogroup
}
EOF

  service strongswan restart

  ipsec statusall # shows nothing == bad sign

  # Tweak apparmor profile like this:

  $ diff -Naur /etc/apparmor.d/usr.lib.ipsec.charon{.orig,}
--- /etc/apparmor.d/usr.lib.ipsec.charon.orig 2019-04-25 11:21:44.939184443 +0000
+++ /etc/apparmor.d/usr.lib.ipsec.charon 2019-04-25 11:21:49.643131415 +0000
@@ -29,6 +29,7 @@
   capability chown,
   capability setgid,
   capability setuid,
+ capability setpcap,

   # libcharon-extra-plugins: xauth-pam
   capability audit_write,

  apparmor_parser -r -T -W /etc/apparmor.d/usr.lib.ipsec.charon

  service strongswan restart

  ipsec statusall # shows something == good sign

Thanks Jack for digging this down to the missing capability! If I have time, I'll try and propose a debdiff or a merge request if nobody beats me to it ;)

Status changed to 'Confirmed' because the bug affects multiple users.

A better workaround until this is officially fixed might be to use the local/ includes like this:

  echo ' capability setpcap,' >> /etc/apparmor.d/local/usr.lib.ipsec.charon
  echo ' capability setpcap,' >> /etc/apparmor.d/local/usr.sbin.charon-systemd

  apparmor_parser -r -T -W /etc/apparmor.d/usr.lib.ipsec.charon
  apparmor_parser -r -T -W /etc/apparmor.d/usr.sbin.charon-systemd

  service strongswan restart # or service strongswan-swanctl restart

Thanks Simon,
as discussed this will be added (or if accepted by then picked up) at the strongswan merge for Eoan. But that has a few things it has to wait on first so this will take a while.
Fortunately you added the great apparmor override help in comment #4 which should help people affected until then.

FYI - I started the merge as I have realized I'd want to do that -before- resubmission of our Delta to Debian for bug 927961.
Therefore this should soon be in Eoan unless the merge turns out to be more complex than usual.

Another bug in the profile [mentioned](https://github.com/trailofbits/algo/pull/1405#issuecomment-487079035) by @demyers

Apr 26 13:53:37 vpn5 kernel: audit: type=1107 audit(1556286817.984:33): pid=766 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/systemd1" interface="org.freedesktop.systemd1.Manager" member="GetDynamicUsers" mask="send" name="org.freedesktop.systemd1" pid=849 label="/usr/lib/ipsec/charon" peer_pid=1 peer_label="unconfined"
Apr 26 13:53:37 vpn5 audit[766]: USER_AVC pid=766 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/systemd1" interface="org.freedesktop.systemd1.Manager" member="GetDynamicUsers" mask="send" name="org.freedesktop.systemd1" pid=849 label="/usr/lib/ipsec/charon" peer_pid=1 peer_label="unconfined"

This call to dbus needs to be allowed as well. Should I file another issue?

Those dbus rules feel like something that should go in an abstraction. That said, neither strongswan nor strongswan-swanctl use the dynamicuser feature of systemd so it is just noise, or at least, that's my understanding.

FYI fix in Eoan-proposed

This bug was fixed in the package strongswan - 5.7.2-1ubuntu1

---------------
strongswan (5.7.2-1ubuntu1) eoan; urgency=medium

  [ Christian Ehrhardt ]
  * Merge with Debian unstable. Remaining changes:
    - Clean up d/strongswan-starter.postinst: section about runlevel changes
    - Clean up d/strongswan-starter.postinst: Removed entire section on
      opportunistic encryption disabling - this was never in strongSwan and
      won't be see upstream issue #2160.
    - d/rules: Removed patching ipsec.conf on build (not using the
      debconf-managed config.)
    - d/ipsec.secrets.proto: Removed ipsec.secrets.inc reference (was
      used for debconf-managed include of private key).
    - Mass enablement of extra plugins and features to allow a user to use
      strongswan for a variety of extra use cases without having to rebuild.
      + d/control: Add required additional build-deps
      + d/control: Mention addtionally enabled plugins
      + d/rules: Enable features at configure stage
      + d/libbstrongswan-extra-plugins.install: Add plugins (so, lib, conf)
      + d/libstrongswan.install: Add plugins (so, conf)
      + d/strongswan-starter.install: Install pool feature, which is useful
        since we now have attr-sql plugin enabled it.
    - Add plugin kernel-libipsec to allow the use of strongswan in containers
      via this userspace implementation (please do note that this is still
      considered experimental by upstream).
      + d/libcharon-extra-plugins.install: Add kernel-libipsec components
      + d/control: List kernel-libipsec plugin at extra plugins description
      + d/p/dont-load-kernel-libipsec-plugin-by-default.patch: As
        upstream recommends to not load kernel-libipsec by default.
    - d/libstrongswan.install: Add kernel-netlink configuration files
    - Complete the disabling of libfast; This was partially accepted in Debian,
      it is no more packaging medcli and medsrv, but still builds and
      mentions it.
      + d/rules: Add --disable-fast to avoid build time and dependencies
      + d/control: Remove medcli, medsrv from package description
    - d/control: Mention mgf1 plugin which is in libstrongswan now
    - Add now built (since 5.5.1) libraries libtpmtss and nttfft to
      libstrongswan-extra-plugins (no deps from default plugins).
    - d/control, d/libcharon-{extras,standard}-plugins.install: Move charon
      plugins for the most common use cases from extra-plugins into a new
      standard-plugins package. This will allow those use cases without pulling
      in too much more plugins (a bit like the tnc package). Recommend that
      package from strongswan-libcharon.
    - d/usr.sbin.charon-systemd: allow to contact mysql for sql and
      attr-sql plugins (LP #1766240)
    - d/usr.lib.ipsec.charon: allow reading of own FDs (LP #1786250)
    - d/usr.sbin.charon-systemd: allow CLUSTERIP for ha plugin (LP: 1773956)
    - executables need to be able to read map and execute themselves otherwise
      execution in some environments e.g. containers is blocked (LP: 1780534)
      + d/usr.lib.ipsec.stroke: add rmix permission to stroke binary
      + d/usr.lib.ipsec.lookip: add rmix permi...