On Fri, Jun 30 2017, Yves-Alexis Perez wrote: > Thanks! I've integrated your changes locally and will test a few days, > but I have a quite simple setup too.
Great! > Once thing I noticed: > > juin 30 15:35:03 scapa kernel: audit: type=1400 > audit(1498829703.597:80): apparmor="DENIED" operation="open" > profile="/usr/sbin/charon-systemd" name="/proc/8865/fd/" pid=8865 > comm="charon-systemd" requested_mask="r" denied_mask="r" fsuid=0 > ouid=0 > > But it doesn't seem to prevent it to work correctly. Perhaps that originates from the function "closefrom(lowfd)" in src/libstrongswan/utils/utils.c, invoked by the function "process_start(...)" in src/libstrongswan/utils/process.c, invoked by updown, resolve, ext_auth, and eap_sim plugins. I'm not using any of those plugins. My guess is the following AppArmor profile entry would suffice: @{PROC}/@{pid}/fd/ r, -- Gerald Turner <gtur...@unzane.com> Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D
signature.asc
Description: PGP signature