# Strongswan ## ubuntuでstrongswanしてlogを設定するとapparmorに怒られた話 例えばこんな風にして軽率に `/var/log` 配下にlogを書こうとする ``` jp7fkf@lab1:~$ cat /etc/strongswan.d/charon-logging.conf charon { filelog { default = 1 /var/log/charon.log { path = /var/log/charon.log time_format = %b %e %T ike_name = yes append = no default = 1 flush_line = yes time_add_ms = yes net = 2 tls = 2 knl = 2 } } } ``` しかしlogは `/var/log/charon.log` には出てこない. syslogを覗いてみるとこんなmessageが. ``` Feb 27 16:17:48 lab1 kernel: [ 8212.229038] audit: type=1400 audit(1582820000.905:38): apparmor="DENIED" operation="mknod" profile="/usr/lib/ipsec/charon" name="/var/log/charon.log" pid=16202 comm="charon" requested_mask="c" denied_mask="c" fsuid=0 ouid=0 ``` > apparmor="DENIED" と言われているのでapparmorで `/var/log/charon.log` への書き込みが弾かれてるっぽい. 適切に権限をあげればいい気がする. apparmorに`/var/log/charon.log*`への書き込み権限を加える `/etc/apparmor.d/` 配下でcharonのapparmor settingを見ていじる. ``` jp7fkf@lab1:~$ sudo cat /etc/apparmor.d/usr.lib.ipsec.charon # ------------------------------------------------------------------ # # Copyright (C) 2016 Canonical Ltd. # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # Author: Jonathan Davies # Ryan Harper # # ------------------------------------------------------------------ #include /usr/lib/ipsec/charon flags=(attach_disconnected) { #include #include #include #include #include capability ipc_lock, capability net_admin, capability net_raw, # allow priv dropping (LP: #1333655) capability chown, capability setgid, capability setuid, # libcharon-extra-plugins: xauth-pam capability audit_write, # libstrongswan-standard-plugins: agent capability dac_override, capability net_admin, capability net_raw, network, network raw, /bin/dash rmPUx, # libchron-extra-plugins: kernel-libipsec /dev/net/tun rw, /etc/ipsec.conf r, /etc/ipsec.secrets r, /etc/ipsec.*.secrets r, /etc/ipsec.d/ r, /etc/ipsec.d/** r, /etc/ipsec.d/crls/* rw, /etc/opensc/opensc.conf r, /etc/strongswan.conf r, /etc/strongswan.d/ r, /etc/strongswan.d/** r, /etc/tnc_config r, /proc/sys/net/core/xfrm_acq_expires w, /run/charon.* rw, /run/pcscd/pcscd.comm rw, /usr/lib/ipsec/charon rmix, /usr/lib/ipsec/imcvs/ r, /usr/lib/ipsec/imcvs/** rm, /usr/lib/*/opensc-pkcs11.so rm, /var/lib/strongswan/* r, /var/log/charon.log* rw, # ここに/var/log/charon.log*のrw権限をつける. # for using the ha plugin (LP: #1773956) @{PROC}/@{pid}/net/ipt_CLUSTERIP/ r, @{PROC}/@{pid}/net/ipt_CLUSTERIP/* rw, # Site-specific additions and overrides. See local/README for details. #include } ``` あとはapparmorをreloadさせる. `sudo systemctl reload apparmor.service` するとlogがちゃんと出てくる. ``` jp7fkf@lab1:~$ cat /var/log/charon.log Feb 27 16:22:44.144 00[DMN] Starting IKE charon daemon (strongSwan 5.6.2, Linux 5.0.0-1031-gcp, x86_64) Feb 27 16:22:44.454 00[KNL] known interfaces and IP addresses: Feb 27 16:22:44.454 00[KNL] lo Feb 27 16:22:44.454 00[KNL] 127.0.0.1 Feb 27 16:22:44.454 00[KNL] ::1 (omit...) ``` めでたし.