https://bugzilla.novell.com/show_bug.cgi?id=685674 https://bugzilla.novell.com/show_bug.cgi?id=685674#c0 Summary: The "-I" flag of traceroute is blocked by apparmor Classification: openSUSE Product: openSUSE 11.4 Version: Final Platform: 64bit OS/Version: openSUSE 11.4 Status: NEW Severity: Normal Priority: P5 - None Component: AppArmor AssignedTo: jeffm@novell.com ReportedBy: nrickert@ameritech.net QAContact: qa@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:2.0.0) Gecko/20100101 Firefox/4.0 Attempts to use: traceroute -I destination fail with "permission denied", even when the user is root. This turns out to be an apparmor problem. Reproducible: Always Steps to Reproduce: 1.# traceroute -I yahoo.com 2.(assumes that apparmor is being used) 3. Actual Results: Note: the -i and -I options were exchangedfor compability with LBL traceroute Use -I for ICMP, and -i <ifname> to specify the interface name unable to create ICMP send socket: Permission denied Expected Results: There should be a route trace using ICMP echo requests. /var/log/audit/audit.log showed the line: type=AVC msg=audit(1302098571.660:201): apparmor="DENIED" operation="create" par ent=446 profile="/usr/sbin/traceroute" pid=5840 comm="traceroute" family="inet" sock_type="raw" protocol=255 I was able to work around the problem by editing the apparmor profiles in Yast, adding a line to allow "network inet raw" for traceroute, which apparently allows the use of raw sockets. This seems to be an oversight in preparing the default rules for apparmor -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.