[Pkg-swan-devel] Bug#1032110: Apparmor denies access to /etc/ipsec.secrets.d/
Simon Deziel
simon at sdeziel.info
Tue Feb 28 14:54:15 GMT 2023
On 2023-02-28 00:44, James Lownie wrote:
> Version: 5.9.1-1+deb11u3
> Package: strongswan-charon
> Version: 5.9.1-1+deb11u3
> Severity: normal
> X-Debbugs-Cc: none
>
>
> Dear maintainer,
Hello James, I'm not maintainer but I've used strongswan with the
Apparmor profiles.
> I ran into a problem using Strongswan which looks like a bug to me. I'm not sure if its in strongswan-charon or in Apparmor but I fixed it by editing /etc/apparmor.d/usr.lib.ipsec.charon which is strongswan-charon code, so I'm raising it here first.
In general, you are better off putting your modifications in
/etc/apparmor.d/local/usr.lib.ipsec.charon as the "local" directory is
meant to have the rules the local admin wanted to add. The main profile
includes this file so your rules would still work.
> The problem was that when I ran the command 'ipsec rereadsecrets' these messages appeared in syslog:
>
> Feb 28 14:50:41 myhostname charon: 01[CFG] expanding file expression '/etc/ipsec.secrets.d/*' failed
> Feb 28 14:50:41 myhostname kernel: [2262128.239395] audit: type=1400 audit(1677556241.557:15): apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon" name="/etc/ipsec.secrets.d/" pid=49996 comm="charon" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
...
> /etc/ipsec.secrets r,
> /etc/ipsec.*.secrets r,
> /etc/ipsec.d/ r,
> /etc/ipsec.d/** r,
In your case, maybe it would be simpler to move your secrets files
directly to /etc/ipsec.d/*.secrets or if you prefer inside a manually
created directory like /etc/ipsed.d/secrets/*.secrets.
This way, you wouldn't need to customize the Apparmor profile at all and
it would just work.
HTH,
Simon
More information about the Pkg-swan-devel
mailing list