apparmor denies -z option. Number of loaded profiles grows.
Bug #722856 reported by
Doug Smythies
This bug affects 3 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
tcpdump (Ubuntu) |
Fix Released
|
Undecided
|
Jamie Strandboge |
Bug Description
Binary package hint: tcpdump
The default apparmor profile does not allow the use of the -z option in tcpdump.
O.K., so one can work around it via setting that profile to "complain" mode, however then the number of loaded profiles will grow with each loop. It appears as though the profiles are not flushed upon termination of the script or program that the -z option executed.
OS Version: Ubuntu server 64 bit 10.10
tcpdump:
Installed: 4.1.1-1ubuntu2
Candidate: 4.1.1-1ubuntu2
Version table:
*** 4.1.1-1ubuntu2 0
500 http://
100 /var/lib/
Note: I could not use apport, as I have no GUI.
Related branches
Changed in tcpdump (Ubuntu): | |
assignee: | nobody → Jamie Strandboge (jdstrand) |
status: | Confirmed → In Progress |
To post a comment you must log in.
Clarification: I don't necessarily expect to be able to have apparmor allow me to run a script from my own directory without my editing the local profile. However, and there is an example buried in the audit log, I do expect it to allow me to run gzip from the default configuration.
The commands I was using:
sudo tcpdump -i eth1 -w 'eth1-% F-%H-%M- %S.bin' -G 300 -z /home/doug/ scripts/ packet_ post_processor
sudo tcpdump -i eth1 -w 'eth1-% F-%H-%M- %S.bin' -G 300 -z gzip