ipset attempts to open additional files so the fwknop apparmor profile needs the following to avoid audit entries:
/etc/host.conf r, /etc/services r, /run/resolvconf/resolv.conf r, The last one because resolvconf which turns /etc/resolv.conf into a symlink to /run/resolvconf/resolv.conf -- Luca Filipozzi
