Comment 27 for bug 1535951

On 2016-02-16 09:46 AM, mrq1 wrote:
> it looks like strongswan is faking a nat situation if the kernel-libipsec
> is used

This is by design as kernel-libipsec requires ESPinUDP.

As Tobias (Strongswan upstream) said, it's best to not have this on by
default.

> btw: did you get this audit entries too?
>
> # grep audit /var/log/syslog
> Feb 16 07:56:31 kvm-xenial kernel: [240771.376037] audit: type=1400 audit(1455605791.501:866): apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon" name="/proc/31139/fd/" pid=31139 comm="charon" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> Feb 16 08:20:30 kvm-xenial kernel: [242210.398331] audit: type=1400 audit(1455607230.525:867): apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon" name="/proc/31165/fd/" pid=31165 comm="charon" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> Feb 16 08:37:04 kvm-xenial kernel: [243204.311072] audit: type=1400 audit(1455608224.480:868): apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon" name="/proc/31720/fd/" pid=31720 comm="charon" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> Feb 16 08:41:09 kvm-xenial kernel: [243449.474502] audit: type=1400 audit(1455608469.642:869): apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon" name="/proc/31743/fd/" pid=31743 comm="charon" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> Feb 16 08:41:30 kvm-xenial kernel: [243470.304749] audit: type=1400 audit(1455608490.474:870): apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon" name="/proc/31836/fd/" pid=31836 comm="charon" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

I don't get those but I only tested libipsec in a container where there
is no Apparmor. Maybe it's libipsec specific?

Can you add this to the profile and see if it helps:

  owner @{PROC}/@{pid}/fd/ r,