Mailinglist Archive: opensuse-bugs (4062 mails)

[bugzilla_noreply@xxxxxxxxxx]

https://bugzilla.novell.com/show_bug.cgi?id=665483

https://bugzilla.novell.com/show_bug.cgi?id=665483#c0


           Summary: aa-genprof does not suggest network rule for raw
                    socket
    Classification: openSUSE
           Product: openSUSE 11.4
           Version: Factory
          Platform: x86-64
        OS/Version: Other
            Status: NEW
          Severity: Normal
          Priority: P5 - None
         Component: AppArmor
        AssignedTo: jeffm@xxxxxxxxxx
        ReportedBy: mike@xxxxxxxxx
         QAContact: qa@xxxxxxx
          Found By: ---
           Blocker: ---


User-Agent:       Mozilla/5.0 (X11; Linux x86_64; rv:2.0b10pre) Gecko/20110117
Firefox/4.0b10pre

When creating AppArmor profile for attached program using aa-genprof, only
rules for capabilities net_admin and net_raw are suggested but the program
needs "network inet raw" to run successfully.

Reproducible: Always

Steps to Reproduce:
1. install iptables-devel package
2. compile attached program with 'gcc -o iptc_test iptc_test.c -lip4tc'
3. create AppArmor profile for it using aa-genprof
4. allow rules for capabilities net_admin and net_raw when asked
5. try running the program with profile in enforced mode
Actual Results:  
Call to iptc_first_rule() fails (program finishes with exit code 1) and audit
log contains line like

type=AVC msg=audit(1295437827.974:210): apparmor="DENIED" operation="create"
parent=7194 profile="/root/bin/iptc_test" pid=20700 comm="iptc_test"
family="inet" sock_type="raw" protocol=255

After adding "network inet raw" to profile, program runs successfully.

Expected Results:  
aa-genprof should suggest "network inet raw" rule as well.

version: apparmor-utils-2.5.1-45.1.noarch

-- 
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.