ubuntuでstrongswanしてlogを設定するとapparmorに殴られた
ubuntuの鎧が硬かったのでメモっておく.charonはデフォでsyslogにlogを吐いてくるのでややウザく,/var/log/charon/log
にログ出力しようとしたのが事の発端.
例えばこんな風にして軽率に/var/log
配下にlogを書こうとする
jp7fkf@lab1:~$ cat /etc/strongswan.d/charon-logging.conf charon { filelog { default = 1 /var/log/charon.log { path = /var/log/charon.log time_format = %b %e %T ike_name = yes append = no default = 1 flush_line = yes time_add_ms = yes net = 2 tls = 2 knl = 2 } } }
しかしlogは/var/log/charon.log
には出てこない.
syslogを覗いてみるとこんなmessageが.
Feb 27 22:17:48 lab1 kernel: [ 8212.229038] audit: type=1400 audit(1582820000.905:38): apparmor="DENIED" operation="mknod" profile="/usr/lib/ipsec/charon" name="/var/log/charon.log" pid=16202 comm="charon" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
apparmor="DENIED"
と言われているのでapparmorで/var/log/charon.log
への書き込みが弾かれてるっぽい.
適切に権限をあげればいい気がする.
apparmorに/var/log/charon.log*
への書き込み権限を加える.
/etc/apparmor.d/
配下でcharonのapparmor settingを見ていじる.
jp7fkf@lab1:~$ sudo cat /etc/apparmor.d/usr.lib.ipsec.charon # ------------------------------------------------------------------ # # Copyright (C) 2016 Canonical Ltd. # # This program is free software; you can redistribute it and/or # modify it under the terms of version 2 of the GNU General Public # License published by the Free Software Foundation. # # Author: Jonathan Davies <jonathan.davies@canonical.com> # Ryan Harper <ryan.harper@canonical.com> # # ------------------------------------------------------------------ #include <tunables/global> /usr/lib/ipsec/charon flags=(attach_disconnected) { #include <abstractions/base> #include <abstractions/nameservice> #include <abstractions/authentication> #include <abstractions/openssl> #include <abstractions/p11-kit> capability ipc_lock, capability net_admin, capability net_raw, # allow priv dropping (LP: #1333655) capability chown, capability setgid, capability setuid, # libcharon-extra-plugins: xauth-pam capability audit_write, # libstrongswan-standard-plugins: agent capability dac_override, capability net_admin, capability net_raw, network, network raw, /bin/dash rmPUx, # libchron-extra-plugins: kernel-libipsec /dev/net/tun rw, /etc/ipsec.conf r, /etc/ipsec.secrets r, /etc/ipsec.*.secrets r, /etc/ipsec.d/ r, /etc/ipsec.d/** r, /etc/ipsec.d/crls/* rw, /etc/opensc/opensc.conf r, /etc/strongswan.conf r, /etc/strongswan.d/ r, /etc/strongswan.d/** r, /etc/tnc_config r, /proc/sys/net/core/xfrm_acq_expires w, /run/charon.* rw, /run/pcscd/pcscd.comm rw, /usr/lib/ipsec/charon rmix, /usr/lib/ipsec/imcvs/ r, /usr/lib/ipsec/imcvs/** rm, /usr/lib/*/opensc-pkcs11.so rm, /var/lib/strongswan/* r, /var/log/charon.log* rw, # ここに/var/log/charon.log*のrw権限をつける. # for using the ha plugin (LP: #1773956) @{PROC}/@{pid}/net/ipt_CLUSTERIP/ r, @{PROC}/@{pid}/net/ipt_CLUSTERIP/* rw, # Site-specific additions and overrides. See local/README for details. #include <local/usr.lib.ipsec.charon> }
あとはapparmorをreloadさせる.
sudo systemctl reload apparmor.service
するとlogがちゃんと出てくる.
jp7fkf@lab1:~$ cat /var/log/charon.log Feb 27 22:22:44.144 00[DMN] Starting IKE charon daemon (strongSwan 5.6.2, Linux 5.0.0-1031-gcp, x86_64) Feb 27 22:22:44.454 00[KNL] known interfaces and IP addresses: Feb 27 22:22:44.454 00[KNL] lo Feb 27 22:22:44.454 00[KNL] 127.0.0.1 Feb 27 22:22:44.454 00[KNL] ::1 (omit...)
めでたし.