[Bug 685674] New: The "-I" flag of traceroute is blocked by apparmor
https://bugzilla.novell.com/show_bug.cgi?id=685674 https://bugzilla.novell.com/show_bug.cgi?id=685674#c0 Summary: The "-I" flag of traceroute is blocked by apparmor Classification: openSUSE Product: openSUSE 11.4 Version: Final Platform: 64bit OS/Version: openSUSE 11.4 Status: NEW Severity: Normal Priority: P5 - None Component: AppArmor AssignedTo: jeffm@novell.com ReportedBy: nrickert@ameritech.net QAContact: qa@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:2.0.0) Gecko/20100101 Firefox/4.0 Attempts to use: traceroute -I destination fail with "permission denied", even when the user is root. This turns out to be an apparmor problem. Reproducible: Always Steps to Reproduce: 1.# traceroute -I yahoo.com 2.(assumes that apparmor is being used) 3. Actual Results: Note: the -i and -I options were exchangedfor compability with LBL traceroute Use -I for ICMP, and -i <ifname> to specify the interface name unable to create ICMP send socket: Permission denied Expected Results: There should be a route trace using ICMP echo requests. /var/log/audit/audit.log showed the line: type=AVC msg=audit(1302098571.660:201): apparmor="DENIED" operation="create" par ent=446 profile="/usr/sbin/traceroute" pid=5840 comm="traceroute" family="inet" sock_type="raw" protocol=255 I was able to work around the problem by editing the apparmor profiles in Yast, adding a line to allow "network inet raw" for traceroute, which apparently allows the use of raw sockets. This seems to be an oversight in preparing the default rules for apparmor -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=685674 https://bugzilla.novell.com/show_bug.cgi?id=685674#c1 Jeff Mahoney <jeffm@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED --- Comment #1 from Jeff Mahoney <jeffm@novell.com> 2011-04-07 18:25:40 UTC --- Added the rule and submitted the fix. Test packages can be found at: http://download.opensuse.org/repositories/home:/jeff_mahoney:/branches:/open... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=685674 https://bugzilla.novell.com/show_bug.cgi?id=685674#c2 --- Comment #2 from Bernhard Wiedemann <bwiedemann@novell.com> 2011-04-28 14:00:11 CEST --- This is an autogenerated message for OBS integration: This bug (685674) was mentioned in https://build.opensuse.org/request/show/66464 https://build.opensuse.org/request/show/66522 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=685674 https://bugzilla.novell.com/show_bug.cgi?id=685674#c3 --- Comment #3 from Bernhard Wiedemann <bwiedemann@novell.com> 2011-06-23 21:01:13 CEST --- This is an autogenerated message for OBS integration: This bug (685674) was mentioned in https://build.opensuse.org/request/show/74415 11.4 / apparmor -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=685674 https://bugzilla.novell.com/show_bug.cgi?id=685674#c4 --- Comment #4 from Bernhard Wiedemann <bwiedemann@novell.com> 2011-06-24 17:01:07 CEST --- This is an autogenerated message for OBS integration: This bug (685674) was mentioned in https://build.opensuse.org/request/show/74457 11.4 / apparmor -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=685674 https://bugzilla.novell.com/show_bug.cgi?id=685674#c5 Swamp Workflow Management <swamp@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard| |maint:running:41833:low --- Comment #5 from Swamp Workflow Management <swamp@suse.com> 2011-06-25 19:58:14 UTC --- The SWAMPID for this issue is 41833. This issue was rated as low. Please submit fixed packages until 2011-07-25. Also create a patchinfo file using this link: https://swamp.suse.de/webswamp/wf/41833 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=685674 https://bugzilla.novell.com/show_bug.cgi?id=685674#c6 Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard|maint:running:41833:low |maint:running:41833:low | |maint:released:11.4:41905 --- Comment #6 from Swamp Workflow Management <swamp@suse.de> 2011-07-07 13:17:35 UTC --- Update released for: apache2-mod_apparmor, apparmor-docs, apparmor-parser, apparmor-profiles, apparmor-utils, libapparmor-devel, libapparmor1, pam_apparmor, perl-apparmor, tomcat_apparmor Products: openSUSE 11.4 (debug, i586, x86_64) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=685674 https://bugzilla.novell.com/show_bug.cgi?id=685674#c Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard|maint:running:41833:low |maint:released:11.4:41905 |maint:released:11.4:41905 | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=685674 https://bugzilla.novell.com/show_bug.cgi?id=685674#c7 Christian Boltz <suse-beta@cboltz.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED CC| |suse-beta@cboltz.de Component|AppArmor |AppArmor Version|Final |Factory Resolution|FIXED | Product|openSUSE 11.4 |openSUSE 12.1 --- Comment #7 from Christian Boltz <suse-beta@cboltz.de> 2011-08-23 02:25:22 CEST --- Reopening - this was only fixed for 11.4 - the fix is missing in the Factory package :-( I just commited it upstream, which means it will be in AppArmor 2.7 beta2. Jeff, if you don't want to carry lots of patches around, updating AppArmor to 2.7 beta1 (and later beta2) in Factory would be a good idea ;-) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=685674 https://bugzilla.novell.com/show_bug.cgi?id=685674#c Christian Boltz <suse-beta@cboltz.de> changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|jeffm@suse.com |suse-beta@cboltz.de -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=685674 https://bugzilla.novell.com/show_bug.cgi?id=685674#c8 Christian Boltz <suse-beta@cboltz.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |RESOLVED Resolution| |FIXED --- Comment #8 from Christian Boltz <suse-beta@cboltz.de> 2011-09-16 17:10:34 CEST --- Fixed in AppArmor 2.7 beta2 which I'll commit to Factory in some hours. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=685674 https://bugzilla.novell.com/show_bug.cgi?id=685674#c9 --- Comment #9 from Bernhard Wiedemann <bwiedemann@suse.com> 2011-09-16 19:00:20 CEST --- This is an autogenerated message for OBS integration: This bug (685674) was mentioned in https://build.opensuse.org/request/show/82501 Factory / apparmor -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=685674 https://bugzilla.novell.com/show_bug.cgi?id=685674#c10 Jason Dian <rhdian@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |rhdian@novell.com --- Comment #10 from Jason Dian <rhdian@novell.com> 2013-12-18 02:52:44 UTC --- @Christian Boltz Customer want to know which SLES version will integrate this patch. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=685674 https://bugzilla.novell.com/show_bug.cgi?id=685674#c11 --- Comment #11 from Christian Boltz <suse-beta@cboltz.de> 2013-12-18 12:48:27 CET --- (In reply to comment #10)
@Christian Boltz Customer want to know which SLES version will integrate this patch.
I'm not involved with SLES (and don't have access to it), so you should ask someone @SUSE ;-) Hint: OBS contains the latest apparmor packages in security:apparmor (also for older major releases, see for example the apparmor_2_7 package) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=685674 https://bugzilla.novell.com/show_bug.cgi?id=685674#c12 --- Comment #12 from Marcus Meissner <meissner@suse.com> 2013-12-18 12:22:00 UTC --- rui hui dian, the fix is already in SLES: rpm -q --changelog apparmor-profiles has ------------------------------------------------------------------- Wed Aug 3 02:34:45 CEST 2011 - jeffm@suse.de - Add raw network access to traceroute profile (bnc#691218). If customers have still problems, please open a new bugzilla or NTS SR. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com