On Fri, Jun 30 2017, Yves-Alexis Perez wrote: > Thanks! I've integrated your changes locally and will test a few days, > but I have a quite simple setup too.
Great!
> Once thing I noticed:
>
> juin 30 15:35:03 scapa kernel: audit: type=1400
> audit(1498829703.597:80): apparmor="DENIED" operation="open"
> profile="/usr/sbin/charon-systemd" name="/proc/8865/fd/" pid=8865
> comm="charon-systemd" requested_mask="r" denied_mask="r" fsuid=0
> ouid=0
>
> But it doesn't seem to prevent it to work correctly.
Perhaps that originates from the function "closefrom(lowfd)" in
src/libstrongswan/utils/utils.c, invoked by the function
"process_start(...)" in src/libstrongswan/utils/process.c, invoked by
updown, resolve, ext_auth, and eap_sim plugins. I'm not using any of
those plugins. My guess is the following AppArmor profile entry would
suffice:
@{PROC}/@{pid}/fd/ r,
--
Gerald Turner <gtur...@unzane.com> Encrypted mail preferred!
OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D
signature.asc
Description: PGP signature
