[Pkg-swan-devel] Bug#866327: charon-systemd: Create AppArmor profiles for /usr/sbin/swanctl and /usr/sbin/charon-systemd
Gerald Turner
gturner at unzane.com
Mon Jul 3 17:12:46 UTC 2017
On Fri, Jun 30 2017, Yves-Alexis Perez wrote:
> Thanks! I've integrated your changes locally and will test a few days,
> but I have a quite simple setup too.
Great!
> Once thing I noticed:
>
> juin 30 15:35:03 scapa kernel: audit: type=1400
> audit(1498829703.597:80): apparmor="DENIED" operation="open"
> profile="/usr/sbin/charon-systemd" name="/proc/8865/fd/" pid=8865
> comm="charon-systemd" requested_mask="r" denied_mask="r" fsuid=0
> ouid=0
>
> But it doesn't seem to prevent it to work correctly.
Perhaps that originates from the function "closefrom(lowfd)" in
src/libstrongswan/utils/utils.c, invoked by the function
"process_start(...)" in src/libstrongswan/utils/process.c, invoked by
updown, resolve, ext_auth, and eap_sim plugins. I'm not using any of
those plugins. My guess is the following AppArmor profile entry would
suffice:
@{PROC}/@{pid}/fd/ r,
--
Gerald Turner <gturner at unzane.com> Encrypted mail preferred!
OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 962 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-swan-devel/attachments/20170703/d0e0bb49/attachment.sig>
More information about the Pkg-swan-devel
mailing list