AppArmor profile prevents DNS Servers from being added to resolv.conf
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| strongswan (Debian) |
New
|
Unknown
|
|||
| strongswan (Ubuntu) |
Triaged
|
Undecided
|
Unassigned | ||
Bug Description
Currently the AppArmor profile for strongswan prevents vpn connections that use ipsec mode config from adding dns settings the client gets from the vpn gateway to the /etc/resolv.conf.
This is because it has the settings for resolving but this is only readonly. It is missing the write permission to /etc/resolv.conf.
This is an old bug that was reported on debian in 2018 already: https://<email address hidden>
One can fix it by adding the required line to the apparmor profile and restart apparmor afterwards.
I know there is other solutions like modifying network-manager config to not overwrite resolv.conf or using the resolvonf package and I did try various but none of them worked like it was supposed to. It didn't add DNS server at all or caused major delays in dns resolving.
With modified apparmor profile it works like a charm here now.
| Changed in strongswan (Debian): | |
| status: | Unknown → New |
| Sergio Durigan Junior (sergiodj) wrote | #1 |
| Changed in strongswan (Ubuntu): | |
| status: | New → Triaged |
| tags: | added: server-todo |
| Changed in strongswan (Ubuntu): | |
| assignee: | nobody → Sergio Durigan Junior (sergiodj) |
| Sergio Durigan Junior (sergiodj) wrote | #2 |
| Changed in strongswan (Ubuntu): | |
| assignee: | Sergio Durigan Junior (sergiodj) → nobody |
| tags: | removed: server-todo |
Thanks for taking the time to report this bug, Sebastian.
I'm adding it to the Ubuntu Server queue; as you mentioned, this is a relatively old issue and IIUC there's been some pushback to implement this. As Christian mentioned in the Debian bug, enabling write access via the apparmor profile by default could be interpreted as a security risk, so we have to take a deeper look into this problem before we proceed.
FWIW, I haven't tried to reproduce this bug locally, but I am setting its status as Triaged because it's pretty clear that the apparmor profile still doesn't allow strongswan to write to /etc/resolv.conf.