Confirmed based on https://wiki.strongswan.org/projects/strongswan/wiki/ConfigSetupSection: "if enabled, certificate revocation lists (CRLs) fetched via HTTP or LDAP will be cached in /etc/ipsec.d/crls/ under a unique file name derived from the certification authority's public key"
So /etc/ipsec.d/crls/* does need write access in the AppArmor profile as you have suggested. ** Changed in: strongswan (Ubuntu) Status: New => Triaged ** Tags added: bitesize -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1505222 Title: strongSwan AppArmor prevents CRL caching To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1505222/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs