[Pkg-swan-devel] Bug#866327: Bug#866327: charon-systemd: Create AppArmor profiles for /usr/sbin/swanctl and /usr/sbin/charon-systemd

Yves-Alexis Perez corsac at debian.org
Fri Jun 30 13:36:42 UTC 2017

On Wed, 2017-06-28 at 13:58 -0700, Gerald Turner wrote:
> Control: tags -1 + patch
> Attached is a patch adapts the work Canonical had done for
> /usr/lib/ipsec/charon policy for /usr/sbin/charon-systemd.
> I've tested the swanctl (client) profile thoroughly, however the
> charon-systemd (daemon) profile had only been tested with relatively few
> plugins.

Thanks! I've integrated your changes locally and will test a few days, but I
have a quite simple setup too.

Once thing I noticed:

juin 30 15:35:03 scapa kernel: audit: type=1400 audit(1498829703.597:80):
apparmor="DENIED" operation="open" profile="/usr/sbin/charon-systemd"
name="/proc/8865/fd/" pid=8865 comm="charon-systemd" requested_mask="r"
denied_mask="r" fsuid=0 ouid=0

But it doesn't seem to prevent it to work correctly.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/pkg-swan-devel/attachments/20170630/7d556137/attachment.sig>

More information about the Pkg-swan-devel mailing list