Bug 1264598 - strongswan: many configuration files are not protected
strongswan: many configuration files are not protected
Status: CLOSED CURRENTRELEASE
Product: Fedora EPEL
Classification: Fedora
Component: strongswan (Show other bugs)
epel7
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Pavel Šimerda (pavlix)
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-09-18 21:02 EDT by Dustin C. Hatch
Modified: 2016-08-10 03:49 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-08-10 03:49:09 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Dustin C. Hatch 2015-09-18 21:02:59 EDT
Description of problem:
Most of strongSwan's configuration files are not protected from being overwritten during updates. Only the top-level ipsec.conf and strongswan.conf, as well as swanctl/swanctl.conf, are protected. Files under strongswan.d also need to be protected, as that is where module configuration is done.

Steps to Reproduce:
1. Install strongswan
2. Change a module configuration, e.g. add a RADIUS server definition to /etc/strongswan/strongswan.d/charon/eap-radius.conf
3. Update or reinstall strongswan

Actual results:
Changes to the plugin configuration are overwritten with the defaults

Expected results:
Changes should be preserved

Additional info:
According to the documentation[1], the strongswan.d and strongswan.d/charon directories were introduced in version 5.1.2

[1] https://wiki.strongswan.org/projects/strongswan/wiki/StrongswanDirectory
Comment 1 Pavel Šimerda (pavlix) 2015-09-24 08:15:34 EDT
I think this could work for us...

diff --git a/strongswan.spec b/strongswan.spec
index ca8b400..9399f05 100644
--- a/strongswan.spec
+++ b/strongswan.spec
@@ -227,12 +227,8 @@ fi
 
 %files
 %doc README README.Fedora COPYING NEWS TODO
-%dir %{_sysconfdir}/%{name}
+%config(noreplace) %{_sysconfdir}/%{name}
 %{_sysconfdir}/%{name}/ipsec.d/
-%config(noreplace) %{_sysconfdir}/%{name}/ipsec.conf
-%config(noreplace) %{_sysconfdir}/%{name}/%{name}.conf
-%dir %{_sysconfdir}/%{name}/swanctl/
-%config(noreplace) %{_sysconfdir}/%{name}/swanctl/swanctl.conf
 %if 0%{?fedora} >= 19 || 0%{?rhel} >= 7
 %{_unitdir}/%{name}.service
 %{_unitdir}/%{name}-swanctl.service
@@ -327,7 +323,6 @@ fi
 %{_mandir}/man8/%{name}_scepclient.8.gz
 %{_mandir}/man8/%{name}_charon-cmd.8.gz
 %{_mandir}/man8/%{name}_swanctl.8.gz
-%{_sysconfdir}/%{name}/%{name}.d/
 %{_datadir}/%{name}/templates/config/
 %{_datadir}/%{name}/templates/database/
Comment 2 Pavel Šimerda (pavlix) 2015-09-24 08:29:57 EDT
Pushed to rawhide for now.
Comment 3 Pavel Šimerda (pavlix) 2016-08-10 03:49:09 EDT
EPEL packages were recently updated using Fedora Rawhide.

Note You need to log in before you can comment on or make changes to this bug.