Package: tcpdump Version: 4.99.1-3 Severity: normal I have this problem both with Debian 11 and debian unstable:
When trying to use something like "-w /some/file/name.pcap -C 1 -W 10" tcpdump gets -EACCESS when trying to open the file: openat(AT_FDCWD, "/var/pcap/lapd.pcap0", O_WRONLY|O_CREAT|O_TRUNC, 0666) = -1 EACCES (Permission denied) manually changing UID to tcpdump and trying to create the file works. audit log shows: [ 1975.392192] audit: type=1400 audit(1651910055.299:16): apparmor="DENIED" operation="mknod" profile="tcpdump" name="/var/pcap/lapd.pcap0" pid=2003 comm="tcpdump" requested_mask="c" denied_mask="c" fsuid=106 ouid=106 The problem seems to be that the apparmor profile assumes that pcap files end in pcap. However, when using the -W option, there is a numerical suffix after the pcap, breaking that assumption. -- System Information: Debian Release: bookworm/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.16.0-5-amd64 (SMP w/4 CPU threads; PREEMPT) Kernel taint flags: TAINT_DIE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages tcpdump depends on: ii adduser 3.121 ii libc6 2.33-7 ii libpcap0.8 1.10.1-4 ii libssl1.1 1.1.1n-1 tcpdump recommends no packages. Versions of packages tcpdump suggests: ii apparmor 3.0.4-2 -- no debconf information
