strongSwan AppArmor profile doesn't allow smartcard configuration

In particular, it is the charon profile which doesn't allow access to the PC/SC layer and to the specific smartcard files (depending on the vendor).

For example, with a Gemalto IDPrime .NET card, this is what I get in my logs:

#Jun 29 08:29:46 ubuntu kernel: [ 873.811807] type=1400 audit(1435559386.465:51): apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon" name="/run/shm/gemalto_idprime_sdata" pid=11356 comm="charon" requested_mask="rwc" denied_mask="rwc" fsuid=0 ouid=0
#Jun 29 08:29:46 ubuntu kernel: [ 873.817301] type=1400 audit(1435559386.469:52): apparmor="DENIED" operation="connect" profile="/usr/lib/ipsec/charon" name="/run/pcscd/pcscd.comm" pid=11356 comm="charon" requested_mask="rw" denied_mask="rw" fsuid=0 ouid=0

@caramba696, smartcard should be improved in Xenial so you might want to re-test.

The Apparmor profile allows charon to access /run/pcscd/pcscd.comm and also include other rules related to smartcards.

according to last update and no response setting to incomplete for now

@sdeziel @paelzer sorry for my delay... I haven't followed this topic since a while.
I will give Xenial a try as soon as possible.
Thanks

It's been almost 6 years since the last update to this bug. Trusty and Xenial have both reached end of standard support. It would be great to have feedback on this one.