http://bugzilla.suse.com/show_bug.cgi?id=980596 Bug ID: 980596 Summary: Please allow ipv6 raw sockets for 'ping' Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: AppArmor Assignee: suse-beta@cboltz.de Reporter: mchandras@suse.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Hi, I was looking into packaging the latest iputils[1]. In that version 'ping' and ping6 have been consolidated into a single executable which can control the inet family using -4 or -6. Latest 'ping' will try to create both ipv4 and ipv6 sockets[2] by default. However, this is prohibited by the apparmor profile in /etc/apparmor.d/bin.ping With the current profile I get the following behavior: ~ $ ping -c 1 www.google.com ping: socket: Permission denied PING www.google.com (216.58.210.36) 56(84) bytes of data. 64 bytes from lhr14s23-in-f36.1e100.net (216.58.210.36): icmp_seq=1 ttl=56 time=23.8 ms But an ipv4-only ping results to ~ $ ping -4 -c 1 www.google.com PING www.google.com (216.58.210.36) 56(84) bytes of data. 64 bytes from lhr14s23-in-f36.1e100.net (216.58.210.36): icmp_seq=1 ttl=56 time=24.2 ms Changing the profile to: @@ -18,6 +18,7 @@ capability net_raw, capability setuid, network inet raw, + network inet6 raw, /{,usr/}bin/ping mixr, /etc/modules.conf r makes newest ping works as expected. ~ $ ping -c 1 www.google.com PING www.google.com (216.58.210.36) 56(84) bytes of data. 64 bytes from lhr14s23-in-f36.1e100.net (216.58.210.36): icmp_seq=1 ttl=56 time=24.0 ms Please consider updating the apparmor profile to support that. It might also worth pushing such change to upstream as well. [1] https://github.com/iputils/iputils/releases/tag/s20160308 [2] https://github.com/iputils/iputils/blob/master/ping.c#L446 -- You are receiving this mail because: You are on the CC list for the bug.