https://bugzilla.novell.com/show_bug.cgi?id=665483 https://bugzilla.novell.com/show_bug.cgi?id=665483#c0 Summary: aa-genprof does not suggest network rule for raw socket Classification: openSUSE Product: openSUSE 11.4 Version: Factory Platform: x86-64 OS/Version: Other Status: NEW Severity: Normal Priority: P5 - None Component: AppArmor AssignedTo: jeffm@novell.com ReportedBy: mike@mk-sys.cz QAContact: qa@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:2.0b10pre) Gecko/20110117 Firefox/4.0b10pre When creating AppArmor profile for attached program using aa-genprof, only rules for capabilities net_admin and net_raw are suggested but the program needs "network inet raw" to run successfully. Reproducible: Always Steps to Reproduce: 1. install iptables-devel package 2. compile attached program with 'gcc -o iptc_test iptc_test.c -lip4tc' 3. create AppArmor profile for it using aa-genprof 4. allow rules for capabilities net_admin and net_raw when asked 5. try running the program with profile in enforced mode Actual Results: Call to iptc_first_rule() fails (program finishes with exit code 1) and audit log contains line like type=AVC msg=audit(1295437827.974:210): apparmor="DENIED" operation="create" parent=7194 profile="/root/bin/iptc_test" pid=20700 comm="iptc_test" family="inet" sock_type="raw" protocol=255 After adding "network inet raw" to profile, program runs successfully. Expected Results: aa-genprof should suggest "network inet raw" rule as well. version: apparmor-utils-2.5.1-45.1.noarch -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.