[Pkg-swan-devel] Bug#915147: Bug#915147: strongswan-charon: apparmor profile should allow writing to /etc/resolv.conf
Yves-Alexis Perez
corsac at debian.org
Mon Dec 3 08:20:26 GMT 2018
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Fri, 2018-11-30 at 19:03 -0800, Ximin Luo wrote:
> If the VPN one is connecting to wants to add additional DNS servers, charon
> needs
> write access to /etc/resolv.conf. Otherwise we get an error like the
> following:
>
> # ipsec up XXX
> [..]
> IKE_SA XXX{X} established between XXX...YYY
> adding DNS server failed
> adding DNS server failed
> handling INTERNAL_IP4_DNS attribute failed
> installing new virtual IP XXX
> [..]
>
> And in dmesg logs:
>
> audit: type=1400 audit(NNN): apparmor="DENIED" operation="open"
> profile="/usr/lib/ipsec/charon" name="/etc/resolv.conf" pid=ZZZ
> comm="charon" requested_mask="wc" denied_mask="wc" fsuid=0 ouid=0
> audit: type=1400 audit(NNN): apparmor="DENIED" operation="unlink"
> profile="/usr/lib/ipsec/charon" name="/etc/resolv.conf" pid=ZZZ
> comm="charon" requested_mask="d" denied_mask="d" fsuid=0 ouid=0
Hi,
another solution would be looking at resolvconf. On my strongSwan setup the
gateway provides DNS and it seems to work just fine here with resolvconf
installed, so it might be worth trying it on your side.
Regards,
- --
Yves-Alexis
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEE8vi34Qgfo83x35gF3rYcyPpXRFsFAlwE50oACgkQ3rYcyPpX
RFuBPQf+IITzxj1XHwSpzOmryralb9a7VEh7nL83L5GVbBMpyY/Z7NFg1mt5Zve5
dxyDT8KOCbVAGGMRaXCUQKqNRXIInKBBWOVhsFdVE8FYdn7eXqbuVtPO2GTGk6HY
8QvzzksRP3UtLu9FGktHaz8IJo8vK0xSc6W1YCvO1TdTyWevS4pp7LjTStZpCXvH
c/H5BIj7J6eGb0LyE7uwP1tck30ucRxJGTTWg6DA4WMNTmuqFHVug7sYnl0NElOR
aMM6G56w78eFdiAf8i5dF6/gW5Jx0fBKjQEa3aO6VK900eoEvXfyWsZ6VLWuw1ob
KUDIi+JOLSzLu8fqJqhC2LhpBo4/cQ==
=4PjS
-----END PGP SIGNATURE-----
More information about the Pkg-swan-devel
mailing list