Comment 4 for bug 1970455

Here is my take on this:

- we have a DEP8 test that creates a strongswan vpn, and I haven't seen this error there
- that tells me that it's only certain configurations that trigger this (confirming what it's said in the bug description)
- should we allow writing to resolv.conf in all cases? That's what we are a bit uncomfortable with. For such specific local configurations, the /etc/apparmor.d/local/ mechanism is a good fit and something the administrator can add
- of course, it might not be easy to reach that conclusion: troubleshooting ipsec vpns is not easy
- if the need to update resolv.conf is something we can easily detect at service startup time, and if it comes from a sane/secure source (like a config file that only root can write to), then one possible change we could make to the package, and which would be a compromise, is to dynamically adapt the profile if that scenario is detected.