[Bug 685674] New: The "-I" flag of traceroute is blocked by apparmor

newer
[Bug 622241] New: grub failure on...

bugzilla_noreply＠novell.com

6 Apr 2011 6 Apr '11

22:39

https://bugzilla.novell.com/show_bug.cgi?id=685674 https://bugzilla.novell.com/show_bug.cgi?id=685674#c0 Summary: The "-I" flag of traceroute is blocked by apparmor Classification: openSUSE Product: openSUSE 11.4 Version: Final Platform: 64bit OS/Version: openSUSE 11.4 Status: NEW Severity: Normal Priority: P5 - None Component: AppArmor AssignedTo: jeffm@novell.com ReportedBy: nrickert@ameritech.net QAContact: qa@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:2.0.0) Gecko/20100101 Firefox/4.0 Attempts to use: traceroute -I destination fail with "permission denied", even when the user is root. This turns out to be an apparmor problem. Reproducible: Always Steps to Reproduce: 1.# traceroute -I yahoo.com 2.(assumes that apparmor is being used) 3. Actual Results: Note: the -i and -I options were exchangedfor compability with LBL traceroute Use -I for ICMP, and -i <ifname> to specify the interface name unable to create ICMP send socket: Permission denied Expected Results: There should be a route trace using ICMP echo requests. /var/log/audit/audit.log showed the line: type=AVC msg=audit(1302098571.660:201): apparmor="DENIED" operation="create" par ent=446 profile="/usr/sbin/traceroute" pid=5840 comm="traceroute" family="inet" sock_type="raw" protocol=255 I was able to work around the problem by editing the apparmor profiles in Yast, adding a line to allow "network inet raw" for traceroute, which apparently allows the use of raw sockets. This seems to be an oversight in preparing the default rules for apparmor -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

Show replies by date

bugzilla_noreply＠novell.com

7 Apr 7 Apr

18:25

New subject: [Bug 685674] The "-I" flag of traceroute is blocked by apparmor

https://bugzilla.novell.com/show_bug.cgi?id=685674 https://bugzilla.novell.com/show_bug.cgi?id=685674#c1 Jeff Mahoney changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED --- Comment #1 from Jeff Mahoney 2011-04-07 18:25:40 UTC --- Added the rule and submitted the fix. Test packages can be found at: http://download.opensuse.org/repositories/home:/jeff_mahoney:/branches:/open... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

28 Apr 28 Apr

12:00

New subject: [Bug 685674] The "-I" flag of traceroute is blocked by apparmor

https://bugzilla.novell.com/show_bug.cgi?id=685674 https://bugzilla.novell.com/show_bug.cgi?id=685674#c2 --- Comment #2 from Bernhard Wiedemann 2011-04-28 14:00:11 CEST --- This is an autogenerated message for OBS integration: This bug (685674) was mentioned in https://build.opensuse.org/request/show/66464 https://build.opensuse.org/request/show/66522 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

23 Jun 23 Jun

19:01

New subject: [Bug 685674] The "-I" flag of traceroute is blocked by apparmor

https://bugzilla.novell.com/show_bug.cgi?id=685674 https://bugzilla.novell.com/show_bug.cgi?id=685674#c3 --- Comment #3 from Bernhard Wiedemann 2011-06-23 21:01:13 CEST --- This is an autogenerated message for OBS integration: This bug (685674) was mentioned in https://build.opensuse.org/request/show/74415 11.4 / apparmor -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

24 Jun 24 Jun

15:01

New subject: [Bug 685674] The "-I" flag of traceroute is blocked by apparmor

https://bugzilla.novell.com/show_bug.cgi?id=685674 https://bugzilla.novell.com/show_bug.cgi?id=685674#c4 --- Comment #4 from Bernhard Wiedemann 2011-06-24 17:01:07 CEST --- This is an autogenerated message for OBS integration: This bug (685674) was mentioned in https://build.opensuse.org/request/show/74457 11.4 / apparmor -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

25 Jun 25 Jun

19:58

New subject: [Bug 685674] The "-I" flag of traceroute is blocked by apparmor

https://bugzilla.novell.com/show_bug.cgi?id=685674 https://bugzilla.novell.com/show_bug.cgi?id=685674#c5 Swamp Workflow Management changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard| |maint:running:41833:low --- Comment #5 from Swamp Workflow Management 2011-06-25 19:58:14 UTC --- The SWAMPID for this issue is 41833. This issue was rated as low. Please submit fixed packages until 2011-07-25. Also create a patchinfo file using this link: https://swamp.suse.de/webswamp/wf/41833 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

7 Jul 7 Jul

13:17

New subject: [Bug 685674] The "-I" flag of traceroute is blocked by apparmor

https://bugzilla.novell.com/show_bug.cgi?id=685674 https://bugzilla.novell.com/show_bug.cgi?id=685674#c6 Swamp Workflow Management changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard|maint:running:41833:low |maint:running:41833:low | |maint:released:11.4:41905 --- Comment #6 from Swamp Workflow Management 2011-07-07 13:17:35 UTC --- Update released for: apache2-mod_apparmor, apparmor-docs, apparmor-parser, apparmor-profiles, apparmor-utils, libapparmor-devel, libapparmor1, pam_apparmor, perl-apparmor, tomcat_apparmor Products: openSUSE 11.4 (debug, i586, x86_64) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

13:20

New subject: [Bug 685674] The "-I" flag of traceroute is blocked by apparmor

https://bugzilla.novell.com/show_bug.cgi?id=685674 https://bugzilla.novell.com/show_bug.cgi?id=685674#c Swamp Workflow Management changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard|maint:running:41833:low |maint:released:11.4:41905 |maint:released:11.4:41905 | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

23 Aug 23 Aug

00:25

New subject: [Bug 685674] The "-I" flag of traceroute is blocked by apparmor

https://bugzilla.novell.com/show_bug.cgi?id=685674 https://bugzilla.novell.com/show_bug.cgi?id=685674#c7 Christian Boltz changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED CC| |suse-beta@cboltz.de Component|AppArmor |AppArmor Version|Final |Factory Resolution|FIXED | Product|openSUSE 11.4 |openSUSE 12.1 --- Comment #7 from Christian Boltz 2011-08-23 02:25:22 CEST --- Reopening - this was only fixed for 11.4 - the fix is missing in the Factory package :-( I just commited it upstream, which means it will be in AppArmor 2.7 beta2. Jeff, if you don't want to carry lots of patches around, updating AppArmor to 2.7 beta1 (and later beta2) in Factory would be a good idea ;-) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

13 Sep 13 Sep

19:33

New subject: [Bug 685674] The "-I" flag of traceroute is blocked by apparmor

https://bugzilla.novell.com/show_bug.cgi?id=685674 https://bugzilla.novell.com/show_bug.cgi?id=685674#c Christian Boltz changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|jeffm@suse.com |suse-beta@cboltz.de -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

16 Sep 16 Sep

15:10

New subject: [Bug 685674] The "-I" flag of traceroute is blocked by apparmor

https://bugzilla.novell.com/show_bug.cgi?id=685674 https://bugzilla.novell.com/show_bug.cgi?id=685674#c8 Christian Boltz changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |RESOLVED Resolution| |FIXED --- Comment #8 from Christian Boltz 2011-09-16 17:10:34 CEST --- Fixed in AppArmor 2.7 beta2 which I'll commit to Factory in some hours. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

17:00

New subject: [Bug 685674] The "-I" flag of traceroute is blocked by apparmor

https://bugzilla.novell.com/show_bug.cgi?id=685674 https://bugzilla.novell.com/show_bug.cgi?id=685674#c9 --- Comment #9 from Bernhard Wiedemann 2011-09-16 19:00:20 CEST --- This is an autogenerated message for OBS integration: This bug (685674) was mentioned in https://build.opensuse.org/request/show/82501 Factory / apparmor -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

18 Dec 18 Dec

02:52

New subject: [Bug 685674] The "-I" flag of traceroute is blocked by apparmor

https://bugzilla.novell.com/show_bug.cgi?id=685674 https://bugzilla.novell.com/show_bug.cgi?id=685674#c10 Jason Dian changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |rhdian@novell.com --- Comment #10 from Jason Dian 2013-12-18 02:52:44 UTC --- @Christian Boltz Customer want to know which SLES version will integrate this patch. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

11:48

New subject: [Bug 685674] The "-I" flag of traceroute is blocked by apparmor

https://bugzilla.novell.com/show_bug.cgi?id=685674 https://bugzilla.novell.com/show_bug.cgi?id=685674#c11 --- Comment #11 from Christian Boltz 2013-12-18 12:48:27 CET --- (In reply to comment #10)

...

@Christian Boltz Customer want to know which SLES version will integrate this patch.

I'm not involved with SLES (and don't have access to it), so you should ask someone @SUSE ;-) Hint: OBS contains the latest apparmor packages in security:apparmor (also for older major releases, see for example the apparmor_2_7 package) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

12:22

New subject: [Bug 685674] The "-I" flag of traceroute is blocked by apparmor

https://bugzilla.novell.com/show_bug.cgi?id=685674 https://bugzilla.novell.com/show_bug.cgi?id=685674#c12 --- Comment #12 from Marcus Meissner 2013-12-18 12:22:00 UTC --- rui hui dian, the fix is already in SLES: rpm -q --changelog apparmor-profiles has ------------------------------------------------------------------- Wed Aug 3 02:34:45 CEST 2011 - jeffm@suse.de - Add raw network access to traceroute profile (bnc#691218). If customers have still problems, please open a new bugzilla or NTS SR. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

3788

Age (days ago)

4775

Last active (days ago)

List overview

Download

14 comments

1 participants

participants (1)

bugzilla_noreply＠novell.com

[Bug 685674] New: The "-I" flag of traceroute is blocked by apparmor

tags

participants (1)