Running `sudo traceroute -T 8.8.8.8` (with TCP SYN mode, root perms. are needed) on Ubuntu 17.04 will produce DENIED messages:
type=AVC msg=audit(1497186803.543:335): apparmor="DENIED" operation="open" profile="/usr/{sbin/traceroute,bin/traceroute.db}" name="/proc/sys/net/ipv4/tcp_ecn" pid=6573 comm="traceroute" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
type=SYSCALL msg=audit(1497186803.543:335): arch=c000003e syscall=2 success=no exit=-13 a0=7ffc1125cfb0 a1=0 a2=0 a3=560553475db0 items=0 ppid=6572 pid=6573 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=2 comm="traceroute" exe="/usr/bin/traceroute.db" key=(null)
type=PROCTITLE msg=audit(1497186803.543:335): proctitle=7472616365726F757465002D5400382E382E382E38
type=AVC msg=audit(1497186803.543:336): apparmor="DENIED" operation="open" profile="/usr/{sbin/traceroute,bin/traceroute.db}" name="/proc/sys/net/ipv4/tcp_sack" pid=6573 comm="traceroute" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
type=SYSCALL msg=audit(1497186803.543:336): arch=c000003e syscall=2 success=no exit=-13 a0=7ffc1125cfb0 a1=0 a2=0 a3=560553475db0 items=0 ppid=6572 pid=6573 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=2 comm="traceroute" exe="/usr/bin/traceroute.db" key=(null)
type=PROCTITLE msg=audit(1497186803.543:336): proctitle=7472616365726F757465002D5400382E382E382E38
type=AVC msg=audit(1497186803.543:337): apparmor="DENIED" operation="open" profile="/usr/{sbin/traceroute,bin/traceroute.db}" name="/proc/sys/net/ipv4/tcp_timestamps" pid=6573 comm="traceroute" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
type=SYSCALL msg=audit(1497186803.543:337): arch=c000003e syscall=2 success=no exit=-13 a0=7ffc1125cfa0 a1=0 a2=0 a3=560553475db0 items=0 ppid=6572 pid=6573 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=2 comm="traceroute" exe="/usr/bin/traceroute.db" key=(null)
type=PROCTITLE msg=audit(1497186803.543:337): proctitle=7472616365726F757465002D5400382E382E382E38
type=AVC msg=audit(1497186803.543:338): apparmor="DENIED" operation="open" profile="/usr/{sbin/traceroute,bin/traceroute.db}" name="/proc/sys/net/ipv4/tcp_window_scaling" pid=6573 comm="traceroute" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
type=SYSCALL msg=audit(1497186803.543:338): arch=c000003e syscall=2 success=no exit=-13 a0=7ffc1125cfa0 a1=0 a2=0 a3=560553475db0 items=0 ppid=6572 pid=6573 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=2 comm="traceroute" exe="/usr/bin/traceroute.db" key=(null)
type=PROCTITLE msg=audit(1497186803.543:338): proctitle=7472616365726F757465002D5400382E382E382E38
type=AVC msg=audit(1497186803.543:339): apparmor="DENIED" operation="capable" profile="/usr/{sbin/traceroute,bin/traceroute.db}" pid=6573 comm="traceroute" capability=12 capname="net_admin"
type=SYSCALL msg=audit(1497186803.543:339): arch=c000003e syscall=54 success=no exit=-1 a0=4 a1=1 a2=21 a3=7ffc1125bef0 items=0 ppid=6572 pid=6573 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=2 comm="traceroute" exe="/usr/bin/traceroute.db" key=(null)
type=PROCTITLE msg=audit(1497186803.543:339): proctitle=7472616365726F757465002D5400382E382E382E38
This patch provides fixes for them.
Hi Vincas! Thanks for this merge request. I could reproduce the problem it's meant to fix, and I agree it makes sense to fix it. Two request though:
1. could you please merge the 4 @{PROC} lines e.g.:
@{PROC} /sys/net/ ipv4/tcp_ {ecn,sack, timestamps, window_ scaling} r,
2. wrt. "deny capability net_admin": on Debian sid (traceroute 1:2.1.0-2), I can't reproduce the issue it's meant to fix; which version of traceroute and OS are you using? Any specific local configuration that might come into play?