[Pkg-swan-devel] Bug#848890: Bug#848890: polished remaining delta for re-review

Christian Ehrhardt christian.ehrhardt at canonical.com
Mon Dec 4 07:27:37 UTC 2017

On Fri, Dec 1, 2017 at 7:14 PM, Gerald Turner <gturner at unzane.com> wrote:
> Hi Christian,
> I don't want to distract from the purpose of this bug report, but I have
> a question regarding one particular piece...

Hi Gerald,
thank you so much - perfect question and not distracting from the
purpose of the bug at all.
I was in this case carrying forward an old change which was (in
Ubuntu) separate from some other changes.
In one of our last runs to synchronize between Ubuntu and Debian this
particular Delta was already taken as 9e71a108
 "add and install apparmor profiles" into v5.5.1-3

So I obviously have to drop it from this series  ... updated the branch.
Thanks a lot to trigger me spotting this issue.

> On Thu, Nov 30 2017, Christian Ehrhardt wrote:
>> The TL;DR of the remaining changes are:
>> - some fixes (like the stroke apparmor profile)
> Do the Ubuntu packages install AppArmor profiles for charon-systemd and
> swanctl as well?

As you already outlined below the usr.sbin.charon-systemd profile was
added in 5.6.0-1 and we don't have it (yet).
I'm working on a recent merge, once done we will have the same profile
as in debian (it works fine for me in tests so far).

For usr.sbin.swanctl we already had the same file as in latest Debian.

> FYI, earlier this year I copied the existing usr.lib.ipsec.charon
> profile to usr.sbin.charon-systemd, and created a usr.sbin.swanctl from
> scratch (although it's similar to usr.lib.ipsec.stroke).  Filed bug
> #866327.  Yves-Alexis applied changes in 5.6.0-1.
> I suppose that if there are usr.lib.ipsec.charon or usr.lib.ipsec.stroke
> specific changes coming from Ubuntu, that these should be synchronized
> with the usr.sbin.charon-systemd or usr.sbin.swanctl variants in Debian.

I checked and so far we have no difference left to the profiles uses in Debian.
So we should all be good in the sense that no one knows better yet how
to improve the profiles.

Looking towards hopefully enabling apparmor in Buster [1] by default
strongswan should be in good shape.

[1]: https://lists.debian.org/debian-devel/2017/08/msg00090.html

More information about the Pkg-swan-devel mailing list