Public bug reported: If configured to do so, strongSwan will cache CRLs to /etc/ipsec.d/crls but AppArmor blocks the creation of the file. Here is the relevant syslog line:
kernel: [400994.988829] audit: type=1400 audit(1444649911.842:37): apparmor="DENIED" operation="mknod" profile="/usr/lib/ipsec/charon" name="/etc/ipsec.d/crls/REDACTED.crl" pid=6098 comm="charon" requested_mask="c" denied_mask="c" fsuid=0 ouid=0 Attached is a patch that gives charon r/w access to the /etc/ipsec.d/crls directory. Package info: strongswan: Installed: 5.1.2-0ubuntu2.3 Candidate: 5.1.2-0ubuntu2.3 Ubuntu info: Description: Ubuntu 14.04.3 LTS Release: 14.04 ** Affects: strongswan (Ubuntu) Importance: Undecided Status: New ** Patch added: "allow-crl-cache.patch" https://bugs.launchpad.net/bugs/1505222/+attachment/4492434/+files/allow-crl-cache.patch -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1505222 Title: strongSwan AppArmor prevents CRL caching To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1505222/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs