Comment 0 for bug 2052493

Reproduction steps:
mkdir /test
chmod 777 /test
tcpdump -Z root -ni any -s 0 -w /test/pcap.pcap -C 500 -W 500 host 1.1.1.1

Result:
tcpdump: /test/pcap.pcap000: Permission denied

Expected result:
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes

The cause is the apparmor profile: /etc/apparmor.d/usr.sbin.tcpdump
  # for -r, -F and -w
  /**.[pP][cC][aA][pP] rw,

It should allow for trailing numbers added to the filename.
This is required when using the -C/-W options, as those will cause rotating filenames

  # for -r, -F, -w, -C and -W
  /**.[pP][cC][aA][pP]* rw,

After changing the profile, and reloading via 'service apparmor reload'
The tcpdump will work as expected