[Bug 685674] New: The "-I" flag of traceroute is blocked by apparmor
https://bugzilla.novell.com/show_bug.cgi?id=685674 https://bugzilla.novell.com/show_bug.cgi?id=685674#c0 Summary: The "-I" flag of traceroute is blocked by apparmor Classification: openSUSE Product: openSUSE 11.4 Version: Final Platform: 64bit OS/Version: openSUSE 11.4 Status: NEW Severity: Normal Priority: P5 - None Component: AppArmor AssignedTo: jeffm@novell.com ReportedBy: nrickert@ameritech.net QAContact: qa@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:2.0.0) Gecko/20100101 Firefox/4.0 Attempts to use: traceroute -I destination fail with "permission denied", even when the user is root. This turns out to be an apparmor problem. Reproducible: Always Steps to Reproduce: 1.# traceroute -I yahoo.com 2.(assumes that apparmor is being used) 3. Actual Results: Note: the -i and -I options were exchangedfor compability with LBL traceroute Use -I for ICMP, and -i <ifname> to specify the interface name unable to create ICMP send socket: Permission denied Expected Results: There should be a route trace using ICMP echo requests. /var/log/audit/audit.log showed the line: type=AVC msg=audit(1302098571.660:201): apparmor="DENIED" operation="create" par ent=446 profile="/usr/sbin/traceroute" pid=5840 comm="traceroute" family="inet" sock_type="raw" protocol=255 I was able to work around the problem by editing the apparmor profiles in Yast, adding a line to allow "network inet raw" for traceroute, which apparently allows the use of raw sockets. This seems to be an oversight in preparing the default rules for apparmor -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=685674
https://bugzilla.novell.com/show_bug.cgi?id=685674#c1
Jeff Mahoney
https://bugzilla.novell.com/show_bug.cgi?id=685674
https://bugzilla.novell.com/show_bug.cgi?id=685674#c2
--- Comment #2 from Bernhard Wiedemann
https://bugzilla.novell.com/show_bug.cgi?id=685674
https://bugzilla.novell.com/show_bug.cgi?id=685674#c3
--- Comment #3 from Bernhard Wiedemann
https://bugzilla.novell.com/show_bug.cgi?id=685674
https://bugzilla.novell.com/show_bug.cgi?id=685674#c4
--- Comment #4 from Bernhard Wiedemann
https://bugzilla.novell.com/show_bug.cgi?id=685674
https://bugzilla.novell.com/show_bug.cgi?id=685674#c5
Swamp Workflow Management
https://bugzilla.novell.com/show_bug.cgi?id=685674
https://bugzilla.novell.com/show_bug.cgi?id=685674#c6
Swamp Workflow Management
https://bugzilla.novell.com/show_bug.cgi?id=685674
https://bugzilla.novell.com/show_bug.cgi?id=685674#c
Swamp Workflow Management
https://bugzilla.novell.com/show_bug.cgi?id=685674
https://bugzilla.novell.com/show_bug.cgi?id=685674#c7
Christian Boltz
https://bugzilla.novell.com/show_bug.cgi?id=685674
https://bugzilla.novell.com/show_bug.cgi?id=685674#c
Christian Boltz
https://bugzilla.novell.com/show_bug.cgi?id=685674
https://bugzilla.novell.com/show_bug.cgi?id=685674#c8
Christian Boltz
https://bugzilla.novell.com/show_bug.cgi?id=685674
https://bugzilla.novell.com/show_bug.cgi?id=685674#c9
--- Comment #9 from Bernhard Wiedemann
https://bugzilla.novell.com/show_bug.cgi?id=685674
https://bugzilla.novell.com/show_bug.cgi?id=685674#c10
Jason Dian
https://bugzilla.novell.com/show_bug.cgi?id=685674
https://bugzilla.novell.com/show_bug.cgi?id=685674#c11
--- Comment #11 from Christian Boltz
@Christian Boltz Customer want to know which SLES version will integrate this patch.
I'm not involved with SLES (and don't have access to it), so you should ask someone @SUSE ;-) Hint: OBS contains the latest apparmor packages in security:apparmor (also for older major releases, see for example the apparmor_2_7 package) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=685674
https://bugzilla.novell.com/show_bug.cgi?id=685674#c12
--- Comment #12 from Marcus Meissner
participants (1)
-
bugzilla_noreply@novell.com