On 2023-02-28 17:12, James Lownie wrote:
Hi Simon, thanks for the suggestion. I'm going to wait and see if other people
can reproduce this before running any tests, this machine is now in production
which makes things awkward. I would have thought putting the secrets in
/etc/ipsec.secrets.d/ would just work given it was already in the profile as a
directory with read access.
Hmm, I don't see such *directory* rule in salsa:
https://salsa.debian.org/debian/strongswan/-/blob/debian/master/debian/usr.lib.ipsec.charon#L47-51
Maybe you thought that "/etc/ipsec.*.secrets" covered your dir? If so,
that's not the case because Apparmor needs the trailing "/" to apply to
directories. So the rule "/etc/ipsec.*.secrets" only covers files with a
prefix of "ipsec." and a ".secrets" suffix.
HTH,
Simon
