I'm trying to adjust an AppArmor profile after I found some guidance that it should be disabled for my use-case (not too happy running an IPSec daemon naked).
So I've tried to put it in complain mode and this fixed the issue, but without actually revealing what the cause was; I had expected aa-logprof to help me there but it came back empty.
Digging a little further, I discovered this smoking gun in /var/log/messages (before enabling complain mode):
type=1400 audit(1470858266.974:84): apparmor="DENIED" operation="capable" profile="/usr/lib/ipsec/charon" pid=27117 comm="charon" capability=1 capname="dac_override"
Enabling complain mode yields:
type=1400 audit(1470855949.106:69): apparmor="ALLOWED" operation="capable" profile="/usr/lib/ipsec/charon" pid=4674 comm="charon" capability=1 capname="dac_override"
So it looks like capability dac_override is what's missing (and indeed, if I manually add it to the profile, it works).
But I'm puzzled as to why this wasn't explicitly revealed by complain. Does complain transparently enable dac_override?
I'm rather new to AppArmor; I did spend a fair bit of time today trying to parse the documentation but couldn't find any reference to this behaviour...
(apparmor 2.8.95~2430-0ubuntu5.3 on Ubuntu 14.04, kernel 3.13.0-92)
