Public bug reported: If configured to do so, strongSwan will cache CRLs to /etc/ipsec.d/crls but AppArmor blocks the creation of the file. Here is the relevant syslog line:
kernel: [400994.988829] audit: type=1400 audit(1444649911.842:37): apparmor="DENIED" operation="mknod" profile="/usr/lib/ipsec/charon" name="/etc/ipsec.d/crls/REDACTED.crl" pid=6098 comm="charon" requested_mask="c" denied_mask="c" fsuid=0 ouid=0 Attached is a patch that gives charon r/w access to the /etc/ipsec.d/crls directory. Package info: strongswan: Installed: 5.1.2-0ubuntu2.3 Candidate: 5.1.2-0ubuntu2.3 Ubuntu info: Description: Ubuntu 14.04.3 LTS Release: 14.04 ** Affects: strongswan (Ubuntu) Importance: Undecided Status: New ** Patch added: "allow-crl-cache.patch" https://bugs.launchpad.net/bugs/1505222/+attachment/4492434/+files/allow-crl-cache.patch -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to strongswan in Ubuntu. https://bugs.launchpad.net/bugs/1505222 Title: strongSwan AppArmor prevents CRL caching To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1505222/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs