[Pkg-swan-devel] Bug#915147: strongswan-charon: apparmor profile should allow writing to /etc/resolv.conf
Ximin Luo
infinity0 at debian.org
Sat Dec 1 03:03:18 GMT 2018
Package: strongswan-charon
Version: 5.7.1-1
Severity: important
Tags: patch
Dear Maintainer,
If the VPN one is connecting to wants to add additional DNS servers, charon needs
write access to /etc/resolv.conf. Otherwise we get an error like the following:
# ipsec up XXX
[..]
IKE_SA XXX{X} established between XXX...YYY
adding DNS server failed
adding DNS server failed
handling INTERNAL_IP4_DNS attribute failed
installing new virtual IP XXX
[..]
And in dmesg logs:
audit: type=1400 audit(NNN): apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon" name="/etc/resolv.conf" pid=ZZZ comm="charon" requested_mask="wc" denied_mask="wc" fsuid=0 ouid=0
audit: type=1400 audit(NNN): apparmor="DENIED" operation="unlink" profile="/usr/lib/ipsec/charon" name="/etc/resolv.conf" pid=ZZZ comm="charon" requested_mask="d" denied_mask="d" fsuid=0 ouid=0
Note that the "#include <abstractions/nameservice>" that already exists in charon's profile, is only for *read* access to /etc/resolv.conf, but charon really does need write access.
A patch that worked for me was:
--- /etc/apparmor.d/usr.lib.ipsec.charon 2018-11-30 19:02:12.585715570 -0800
+++ /etc/apparmor.d/usr.lib.ipsec.charon 2018-11-30 18:50:39.850426475 -0800
@@ -68,6 +68,8 @@
/var/lib/strongswan/* r,
+ /etc/resolv.conf w,
+
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.lib.ipsec.charon>
}
X
-- System Information:
Debian Release: buster/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'stable'), (300, 'unstable'), (100, 'experimental'), (1, 'experimental-debug')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.18.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages strongswan-charon depends on:
ii debconf [debconf-2.0] 1.5.69
ii iproute2 4.18.0-2
ii libc6 2.27-8
pn libstrongswan <none>
pn strongswan-libcharon <none>
pn strongswan-starter <none>
strongswan-charon recommends no packages.
strongswan-charon suggests no packages.
More information about the Pkg-swan-devel
mailing list