On 2023-02-28 00:44, James Lownie wrote:
Version: 5.9.1-1+deb11u3
Package: strongswan-charon
Version: 5.9.1-1+deb11u3
Severity: normal
X-Debbugs-Cc: none
Dear maintainer,
Hello James, I'm not maintainer but I've used strongswan with the
Apparmor profiles.
I ran into a problem using Strongswan which looks like a bug to me. I'm not
sure if its in strongswan-charon or in Apparmor but I fixed it by editing
/etc/apparmor.d/usr.lib.ipsec.charon which is strongswan-charon code, so I'm
raising it here first.
In general, you are better off putting your modifications in
/etc/apparmor.d/local/usr.lib.ipsec.charon as the "local" directory is
meant to have the rules the local admin wanted to add. The main profile
includes this file so your rules would still work.
The problem was that when I ran the command 'ipsec rereadsecrets' these
messages appeared in syslog:
Feb 28 14:50:41 myhostname charon: 01[CFG] expanding file expression
'/etc/ipsec.secrets.d/*' failed
Feb 28 14:50:41 myhostname kernel: [2262128.239395] audit: type=1400 audit(1677556241.557:15): apparmor="DENIED" operation="open"
profile="/usr/lib/ipsec/charon" name="/etc/ipsec.secrets.d/" pid=49996 comm="charon" requested_mask="r"
denied_mask="r" fsuid=0 ouid=0
...
/etc/ipsec.secrets r,
/etc/ipsec.*.secrets r,
/etc/ipsec.d/ r,
/etc/ipsec.d/** r,
In your case, maybe it would be simpler to move your secrets files
directly to /etc/ipsec.d/*.secrets or if you prefer inside a manually
created directory like /etc/ipsed.d/secrets/*.secrets.
This way, you wouldn't need to customize the Apparmor profile at all and
it would just work.
HTH,
Simon
