# tcpdump tcpdump: Can't open netlink socket 13:Permission denied Enforcing: Nov 17 13:34:38 lain kernel: [ 4257.373410] type=1400 audit(1353155678.574:1066): avc: denied { rlimitinh } for pid=31625 comm="tcpdump" scontext=staff_u:sysadm_r:sysadm_t tcontext=staff_u:sysadm_r:netutils_t tclass=process Nov 17 13:34:38 lain kernel: [ 4257.373422] type=1400 audit(1353155678.574:1067): avc: denied { siginh } for pid=31625 comm="tcpdump" scontext=staff_u:sysadm_r:sysadm_t tcontext=staff_u:sysadm_r:netutils_t tclass=process Nov 17 13:34:38 lain kernel: [ 4257.373443] type=1400 audit(1353155678.574:1068): avc: denied { noatsecure } for pid=31625 comm="tcpdump" scontext=staff_u:sysadm_r:sysadm_t tcontext=staff_u:sysadm_r:netutils_t tclass=process Nov 17 13:34:38 lain kernel: [ 4257.442216] type=1400 audit(1353155678.643:1069): avc: denied { search } for pid=31625 comm="tcpdump" name="/" dev="debugfs" ino=1 scontext=staff_u:sysadm_r:netutils_t tcontext=system_u:object_r:debugfs_t tclass=dir Nov 17 13:34:38 lain kernel: [ 4257.442256] type=1400 audit(1353155678.643:1070): avc: denied { search } for pid=31625 comm="tcpdump" name="/" dev="debugfs" ino=1 scontext=staff_u:sysadm_r:netutils_t tcontext=system_u:object_r:debugfs_t tclass=dir Nov 17 13:34:38 lain kernel: [ 4257.442280] type=1400 audit(1353155678.643:1071): avc: denied { create } for pid=31625 comm="tcpdump" scontext=staff_u:sysadm_r:netutils_t tcontext=staff_u:sysadm_r:netutils_t tclass=netlink_socket Permissive: Nov 17 13:34:50 lain kernel: [ 4269.707051] type=1400 audit(1353155690.932:1073): avc: denied { rlimitinh } for pid=31768 comm="tcpdump" scontext=staff_u:sysadm_r:sysadm_t tcontext=staff_u:sysadm_r:netutils_t tclass=process Nov 17 13:34:50 lain kernel: [ 4269.707061] type=1400 audit(1353155690.932:1074): avc: denied { siginh } for pid=31768 comm="tcpdump" scontext=staff_u:sysadm_r:sysadm_t tcontext=staff_u:sysadm_r:netutils_t tclass=process Nov 17 13:34:50 lain kernel: [ 4269.707080] type=1400 audit(1353155690.932:1075): avc: denied { noatsecure } for pid=31768 comm="tcpdump" scontext=staff_u:sysadm_r:sysadm_t tcontext=staff_u:sysadm_r:netutils_t tclass=process Nov 17 13:34:51 lain kernel: [ 4269.807641] type=1400 audit(1353155691.033:1076): avc: denied { search } for pid=31768 comm="tcpdump" name="/" dev="debugfs" ino=1 scontext=staff_u:sysadm_r:netutils_t tcontext=system_u:object_r:debugfs_t tclass=dir Nov 17 13:34:51 lain kernel: [ 4269.807705] type=1400 audit(1353155691.033:1077): avc: denied { create } for pid=31768 comm="tcpdump" scontext=staff_u:sysadm_r:netutils_t tcontext=staff_u:sysadm_r:netutils_t tclass=netlink_socket Nov 17 13:34:51 lain kernel: [ 4269.807731] type=1400 audit(1353155691.033:1078): avc: denied { write } for pid=31768 comm="tcpdump" scontext=staff_u:sysadm_r:netutils_t tcontext=staff_u:sysadm_r:netutils_t tclass=netlink_socket Nov 17 13:34:51 lain kernel: [ 4269.807752] type=1400 audit(1353155691.033:1079): avc: denied { read } for pid=31768 comm="tcpdump" scontext=staff_u:sysadm_r:netutils_t tcontext=staff_u:sysadm_r:netutils_t tclass=netlink_socket Nov 17 13:34:51 lain kernel: [ 4269.812523] type=1400 audit(1353155691.038:1080): avc: denied { read } for pid=31768 comm="tcpdump" name="dev" dev="proc" ino=4026531979 scontext=staff_u:sysadm_r:netutils_t tcontext=system_u:object_r:proc_net_t tclass=file Nov 17 13:34:51 lain kernel: [ 4269.812534] type=1400 audit(1353155691.038:1081): avc: denied { open } for pid=31768 comm="tcpdump" path="/proc/31768/net/dev" dev="proc" ino=4026531979 scontext=staff_u:sysadm_r:netutils_t tcontext=system_u:object_r:proc_net_t tclass=file After allowing: Nov 17 13:34:38 lain kernel: [ 4257.442280] type=1400 audit(1353155678.643:1071): avc: denied { create } for pid=31625 comm="tcpdump" scontext=staff_u:sysadm_r:netutils_t tcontext=staff_u:sysadm_r:netutils_t tclass=netlink_socket # tcpdump tcpdump: Couldn't chroot/chdir to '/var/lib/tcpdump': Permission denied Enforcing: Nov 17 13:41:25 lain kernel: [ 4663.437448] type=1400 audit(1353156085.445:1149): avc: denied { rlimitinh } for pid=23003 comm="tcpdump" scontext=staff_u:sysadm_r:sysadm_t tcontext=staff_u:sysadm_r:netutils_t tclass=process Nov 17 13:41:25 lain kernel: [ 4663.437460] type=1400 audit(1353156085.445:1150): avc: denied { siginh } for pid=23003 comm="tcpdump" scontext=staff_u:sysadm_r:sysadm_t tcontext=staff_u:sysadm_r:netutils_t tclass=process Nov 17 13:41:25 lain kernel: [ 4663.437480] type=1400 audit(1353156085.445:1151): avc: denied { noatsecure } for pid=23003 comm="tcpdump" scontext=staff_u:sysadm_r:sysadm_t tcontext=staff_u:sysadm_r:netutils_t tclass=process Nov 17 13:41:25 lain kernel: [ 4663.513384] type=1400 audit(1353156085.521:1152): avc: denied { search } for pid=23003 comm="tcpdump" name="/" dev="debugfs" ino=1 scontext=staff_u:sysadm_r:netutils_t tcontext=system_u:object_r:debugfs_t tclass=dir Nov 17 13:41:25 lain kernel: [ 4663.513442] type=1400 audit(1353156085.521:1153): avc: denied { search } for pid=23003 comm="tcpdump" name="/" dev="debugfs" ino=1 scontext=staff_u:sysadm_r:netutils_t tcontext=system_u:object_r:debugfs_t tclass=dir Nov 17 13:41:25 lain kernel: [ 4663.513504] type=1400 audit(1353156085.521:1154): avc: denied { write } for pid=23003 comm="tcpdump" scontext=staff_u:sysadm_r:netutils_t tcontext=staff_u:sysadm_r:netutils_t tclass=netlink_socket Nov 17 13:41:25 lain kernel: [ 4663.518243] type=1400 audit(1353156085.526:1155): avc: denied { read } for pid=23003 comm="tcpdump" name="dev" dev="proc" ino=4026531979 scontext=staff_u:sysadm_r:netutils_t tcontext=system_u:object_r:proc_net_t tclass=file Nov 17 13:41:25 lain kernel: [ 4663.539314] type=1400 audit(1353156085.547:1156): avc: denied { dac_override } for pid=23003 comm="tcpdump" capability=1 scontext=staff_u:sysadm_r:netutils_t tcontext=staff_u:sysadm_r:netutils_t tclass=capability Nov 17 13:41:25 lain kernel: [ 4663.539333] type=1400 audit(1353156085.547:1157): avc: denied { dac_read_search } for pid=23003 comm="tcpdump" capability=2 scontext=staff_u:sysadm_r:netutils_t tcontext=staff_u:sysadm_r:netutils_t tclass=capability Nov 17 13:41:25 lain kernel: [ 4663.539348] type=1400 audit(1353156085.547:1158): avc: denied { dac_override } for pid=23003 comm="tcpdump" capability=1 scontext=staff_u:sysadm_r:netutils_t tcontext=staff_u:sysadm_r:netutils_t tclass=capability Permissive: Nov 17 13:41:36 lain kernel: [ 4674.308673] type=1400 audit(1353156096.338:1160): avc: denied { rlimitinh } for pid=23423 comm="tcpdump" scontext=staff_u:sysadm_r:sysadm_t tcontext=staff_u:sysadm_r:netutils_t tclass=process Nov 17 13:41:36 lain kernel: [ 4674.308688] type=1400 audit(1353156096.338:1161): avc: denied { siginh } for pid=23423 comm="tcpdump" scontext=staff_u:sysadm_r:sysadm_t tcontext=staff_u:sysadm_r:netutils_t tclass=process Nov 17 13:41:36 lain kernel: [ 4674.308715] type=1400 audit(1353156096.338:1162): avc: denied { noatsecure } for pid=23423 comm="tcpdump" scontext=staff_u:sysadm_r:sysadm_t tcontext=staff_u:sysadm_r:netutils_t tclass=process Nov 17 13:41:36 lain kernel: [ 4674.409602] type=1400 audit(1353156096.439:1163): avc: denied { search } for pid=23423 comm="tcpdump" name="/" dev="debugfs" ino=1 scontext=staff_u:sysadm_r:netutils_t tcontext=system_u:object_r:debugfs_t tclass=dir Nov 17 13:41:36 lain kernel: [ 4674.409725] type=1400 audit(1353156096.439:1164): avc: denied { write } for pid=23423 comm="tcpdump" scontext=staff_u:sysadm_r:netutils_t tcontext=staff_u:sysadm_r:netutils_t tclass=netlink_socket Nov 17 13:41:36 lain kernel: [ 4674.409754] type=1400 audit(1353156096.439:1165): avc: denied { read } for pid=23423 comm="tcpdump" scontext=staff_u:sysadm_r:netutils_t tcontext=staff_u:sysadm_r:netutils_t tclass=netlink_socket Nov 17 13:41:36 lain kernel: [ 4674.420483] type=1400 audit(1353156096.450:1166): avc: denied { read } for pid=23423 comm="tcpdump" name="dev" dev="proc" ino=4026531979 scontext=staff_u:sysadm_r:netutils_t tcontext=system_u:object_r:proc_net_t tclass=file Nov 17 13:41:36 lain kernel: [ 4674.420501] type=1400 audit(1353156096.450:1167): avc: denied { open } for pid=23423 comm="tcpdump" path="/proc/23423/net/dev" dev="proc" ino=4026531979 scontext=staff_u:sysadm_r:netutils_t tcontext=system_u:object_r:proc_net_t tclass=file Nov 17 13:41:36 lain kernel: [ 4674.420529] type=1400 audit(1353156096.450:1168): avc: denied { getattr } for pid=23423 comm="tcpdump" path="/proc/23423/net/dev" dev="proc" ino=4026531979 scontext=staff_u:sysadm_r:netutils_t tcontext=system_u:object_r:proc_net_t tclass=file ls -lZ /var/lib | grep tcpdump drwx------. 2 tcpdump tcpdump system_u:object_r:var_lib_t 4096 Oct 23 21:43 tcpdump After allowing: Nov 17 13:52:07 lain kernel: [ 5304.192160] type=1400 audit(1353156727.473:1208): avc: denied { dac_override } for pid=1887 comm="tcpdump" capability=1 scontext=staff_u:sysadm_r:netutils_t tcontext=staff_u:sysadm_r:netutils_t tclass=capability Enforcing: Nov 17 13:57:28 lain kernel: [ 5624.452306] type=1400 audit(1353157048.369:1285): avc: denied { rlimitinh } for pid=5065 comm="tcpdump" scontext=staff_u:sysadm_r:sysadm_t tcontext=staff_u:sysadm_r:netutils_t tclass=process Nov 17 13:57:28 lain kernel: [ 5624.452325] type=1400 audit(1353157048.369:1286): avc: denied { siginh } for pid=5065 comm="tcpdump" scontext=staff_u:sysadm_r:sysadm_t tcontext=staff_u:sysadm_r:netutils_t tclass=process Nov 17 13:57:28 lain kernel: [ 5624.452384] type=1400 audit(1353157048.369:1287): avc: denied { noatsecure } for pid=5065 comm="tcpdump" scontext=staff_u:sysadm_r:sysadm_t tcontext=staff_u:sysadm_r:netutils_t tclass=process Nov 17 13:57:28 lain kernel: [ 5624.555520] type=1400 audit(1353157048.473:1288): avc: denied { search } for pid=5065 comm="tcpdump" name="/" dev="debugfs" ino=1 scontext=staff_u:sysadm_r:netutils_t tcontext=system_u:object_r:debugfs_t tclass=dir Nov 17 13:57:28 lain kernel: [ 5624.555577] type=1400 audit(1353157048.473:1289): avc: denied { search } for pid=5065 comm="tcpdump" name="/" dev="debugfs" ino=1 scontext=staff_u:sysadm_r:netutils_t tcontext=system_u:object_r:debugfs_t tclass=dir Nov 17 13:57:28 lain kernel: [ 5624.555641] type=1400 audit(1353157048.473:1290): avc: denied { write } for pid=5065 comm="tcpdump" scontext=staff_u:sysadm_r:netutils_t tcontext=staff_u:sysadm_r:netutils_t tclass=netlink_socket Nov 17 13:57:28 lain kernel: [ 5624.564447] type=1400 audit(1353157048.482:1291): avc: denied { read } for pid=5065 comm="tcpdump" name="dev" dev="proc" ino=4026531979 scontext=staff_u:sysadm_r:netutils_t tcontext=system_u:object_r:proc_net_t tclass=file Nov 17 13:57:28 lain kernel: [ 5624.582484] type=1400 audit(1353157048.500:1292): avc: denied { sys_chroot } for pid=5065 comm="tcpdump" capability=18 scontext=staff_u:sysadm_r:netutils_t tcontext=staff_u:sysadm_r:netutils_t tclass=capability Permissive: Nov 17 13:57:39 lain kernel: [ 5636.001459] type=1400 audit(1353157059.941:1294): avc: denied { rlimitinh } for pid=5126 comm="tcpdump" scontext=staff_u:sysadm_r:sysadm_t tcontext=staff_u:sysadm_r:netutils_t tclass=process Nov 17 13:57:39 lain kernel: [ 5636.001473] type=1400 audit(1353157059.941:1295): avc: denied { siginh } for pid=5126 comm="tcpdump" scontext=staff_u:sysadm_r:sysadm_t tcontext=staff_u:sysadm_r:netutils_t tclass=process Nov 17 13:57:39 lain kernel: [ 5636.001535] type=1400 audit(1353157059.942:1296): avc: denied { noatsecure } for pid=5126 comm="tcpdump" scontext=staff_u:sysadm_r:sysadm_t tcontext=staff_u:sysadm_r:netutils_t tclass=process Nov 17 13:57:40 lain kernel: [ 5636.122460] type=1400 audit(1353157060.063:1297): avc: denied { search } for pid=5126 comm="tcpdump" name="/" dev="debugfs" ino=1 scontext=staff_u:sysadm_r:netutils_t tcontext=system_u:object_r:debugfs_t tclass=dir Nov 17 13:57:40 lain kernel: [ 5636.122575] type=1400 audit(1353157060.063:1298): avc: denied { write } for pid=5126 comm="tcpdump" scontext=staff_u:sysadm_r:netutils_t tcontext=staff_u:sysadm_r:netutils_t tclass=netlink_socket Nov 17 13:57:40 lain kernel: [ 5636.122604] type=1400 audit(1353157060.063:1299): avc: denied { read } for pid=5126 comm="tcpdump" scontext=staff_u:sysadm_r:netutils_t tcontext=staff_u:sysadm_r:netutils_t tclass=netlink_socket Nov 17 13:57:40 lain kernel: [ 5636.138339] type=1400 audit(1353157060.079:1300): avc: denied { read } for pid=5126 comm="tcpdump" name="dev" dev="proc" ino=4026531979 scontext=staff_u:sysadm_r:netutils_t tcontext=system_u:object_r:proc_net_t tclass=file Nov 17 13:57:40 lain kernel: [ 5636.138356] type=1400 audit(1353157060.079:1301): avc: denied { open } for pid=5126 comm="tcpdump" path="/proc/5126/net/dev" dev="proc" ino=4026531979 scontext=staff_u:sysadm_r:netutils_t tcontext=system_u:object_r:proc_net_t tclass=file Nov 17 13:57:40 lain kernel: [ 5636.138379] type=1400 audit(1353157060.079:1302): avc: denied { getattr } for pid=5126 comm="tcpdump" path="/proc/5126/net/dev" dev="proc" ino=4026531979 scontext=staff_u:sysadm_r:netutils_t tcontext=system_u:object_r:proc_net_t tclass=file Finally after allowing this one it seems to work: Nov 17 13:53:14 lain kernel: [ 5371.286855] type=1400 audit(1353156794.701:1230): avc: denied { sys_chroot } for pid=2308 comm="tcpdump" capability=18 scontext=staff_u:sysadm_r:netutils_t tcontext=staff_u:sysadm_r:netutils_t tclass=capability All of stuff I allowed: Nov 17 13:34:38 lain kernel: [ 4257.442280] type=1400 audit(1353155678.643:1071): avc: denied { create } for pid=31625 comm="tcpdump" scontext=staff_u:sysadm_r:netutils_t tcontext=staff_u:sysadm_r:netutils_t tclass=netlink_socket Nov 17 13:52:07 lain kernel: [ 5304.192160] type=1400 audit(1353156727.473:1208): avc: denied { dac_override } for pid=1887 comm="tcpdump" capability=1 scontext=staff_u:sysadm_r:netutils_t tcontext=staff_u:sysadm_r:netutils_t tclass=capability Nov 17 13:53:14 lain kernel: [ 5371.286855] type=1400 audit(1353156794.701:1230): avc: denied { sys_chroot } for pid=2308 comm="tcpdump" capability=18 scontext=staff_u:sysadm_r:netutils_t tcontext=staff_u:sysadm_r:netutils_t tclass=capability Reproducible: Always
Seems to work with dac_read_search as well (without dac_override). dac_override is more global than dac_read_search, and it requires the search privs only afaik. dac_override is checked first, then dac_read_search, so I guess we can even dontaudit the dac_override requests.
Okay, is in (live ebuilds ok, will be in rev 8)
r8 in hardened-dev overlay
r8 is now in main tree, ~arch
r8 is now stable