Comment 14 for bug 1598759

Tyler Hicks (tyhicks) wrote :

I forgot to mention what brought me to this bug. I am seeing this denial when running tcpdump in Ubuntu Yakkety:

apparmor="DENIED" operation="connect" profile="/usr/sbin/tcpdump" name="/run/dbus/system_bus_socket" pid=25098 comm="tcpdump" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0

After pulling the dbus-strict abstraction into the tcpdump profile, I then see this denial:

pid=2204 uid=105 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/resolve1" interface="org.freedesktop.resolve1.Manager" member="ResolveAddress" mask="send" name="org.freedesktop.resolve1" pid=25438 label="/usr/sbin/tcpdump" peer_pid=2471 peer_label="unconfined"

My proposed fix grants access to the ResolveAddress, ResolveHostname, ResolveRecord, and ResolveService methods of the D-Bus API.