[Pkg-swan-devel] Bug#1032110: Apparmor denies access to /etc/ipsec.secrets.d/
Simon Deziel
simon at sdeziel.info
Tue Feb 28 22:20:56 GMT 2023
On 2023-02-28 17:12, James Lownie wrote:
> Hi Simon, thanks for the suggestion. I'm going to wait and see if other people can reproduce this before running any tests, this machine is now in production which makes things awkward. I would have thought putting the secrets in /etc/ipsec.secrets.d/ would just work given it was already in the profile as a directory with read access.
Hmm, I don't see such *directory* rule in salsa:
https://salsa.debian.org/debian/strongswan/-/blob/debian/master/debian/usr.lib.ipsec.charon#L47-51
Maybe you thought that "/etc/ipsec.*.secrets" covered your dir? If so,
that's not the case because Apparmor needs the trailing "/" to apply to
directories. So the rule "/etc/ipsec.*.secrets" only covers files with a
prefix of "ipsec." and a ".secrets" suffix.
HTH,
Simon
More information about the Pkg-swan-devel
mailing list