/log file Secret

## log file
Dec 15 22:20:55 nilesh kernel: [60252.781731] type=1400 audit(1418710855.725:1890): apparmor="DENIED" operation="create" parent=25683 profile="/usr/sbin/tcpdump" pid=14197 comm="tcpdump" family="packet" sock_type="raw" protocol=768
Dec 15 22:20:55 nilesh kernel: [60252.781832] type=1400 audit(1418710855.725:1891): apparmor="DENIED" operation="create" parent=25683 profile="/usr/sbin/tcpdump" pid=14197 comm="tcpdump" family="packet" sock_type="packet" protocol=768
Dec 15 22:20:55 nilesh kernel: [60252.781893] type=1400 audit(1418710855.725:1892): apparmor="DENIED" operation="create" parent=25683 profile="/usr/sbin/tcpdump" pid=14197 comm="tcpdump" family="packet" sock_type="raw" protocol=768
Dec 15 22:20:55 nilesh kernel: [60252.781926] type=1400 audit(1418710855.725:1893): apparmor="DENIED" operation="create" parent=25683 profile="/usr/sbin/tcpdump" pid=14197 comm="tcpdump" family="packet" sock_type="packet" protocol=768
Dec 15 22:20:55 nilesh kernel: [60252.781968] type=1400 audit(1418710855.725:1894): apparmor="DENIED" operation="create" parent=25683 profile="/usr/sbin/tcpdump" pid=14197 comm="tcpdump" family="packet" sock_type="raw" protocol=768
Dec 15 22:20:55 nilesh kernel: [60252.782000] type=1400 audit(1418710855.725:1895): apparmor="DENIED" operation="create" parent=25683 profile="/usr/sbin/tcpdump" pid=14197 comm="tcpdump" family="packet" sock_type="packet" protocol=768
Dec 15 22:20:55 nilesh kernel: [60252.782040] type=1400 audit(1418710855.725:1896): apparmor="DENIED" operation="create" parent=25683 profile="/usr/sbin/tcpdump" pid=14197 comm="tcpdump" family="packet" sock_type="raw" protocol=768
Dec 15 22:20:55 nilesh kernel: [60252.782071] type=1400 audit(1418710855.725:1897): apparmor="DENIED" operation="create" parent=25683 profile="/usr/sbin/tcpdump" pid=14197 comm="tcpdump" family="packet" sock_type="packet" protocol=768
Dec 15 22:20:55 nilesh kernel: [60252.782111] type=1400 audit(1418710855.725:1898): apparmor="DENIED" operation="create" parent=25683 profile="/usr/sbin/tcpdump" pid=14197 comm="tcpdump" family="packet" sock_type="raw" protocol=768
Dec 15 22:20:55 nilesh kernel: [60252.782141] type=1400 audit(1418710855.725:1899): apparmor="DENIED" operation="create" parent=25683 profile="/usr/sbin/tcpdump" pid=14197 comm="tcpdump" family="packet" sock_type="packet" protocol=768
Dec 15 22:20:55 nilesh kernel: [60252.782180] type=1400 audit(1418710855.725:1900): apparmor="DENIED" operation="create" parent=25683 profile="/usr/sbin/tcpdump" pid=14197 comm="tcpdump" family="packet" sock_type="raw" protocol=768
Dec 15 22:20:55 nilesh kernel: [60252.782211] type=1400 audit(1418710855.725:1901): apparmor="DENIED" operation="create" parent=25683 profile="/usr/sbin/tcpdump" pid=14197 comm="tcpdump" family="packet" sock_type="packet" protocol=768
Dec 15 22:20:55 nilesh kernel: [60252.782249] type=1400 audit(1418710855.725:1902): apparmor="DENIED" operation="create" parent=25683 profile="/usr/sbin/tcpdump" pid=14197 comm="tcpdump" family="packet" sock_type="raw" protocol=768
Dec 15 22:20:55 nilesh kernel: [60252.782279] type=1400 audit(1418710855.725:1903): apparmor="DENIED" operation="create" parent=25683 profile="/usr/sbin/tcpdump" pid=14197 comm="tcpdump" family="packet" sock_type="packet" protocol=768
Dec 15 22:20:55 nilesh kernel: [60252.782318] type=1400 audit(1418710855.725:1904): apparmor="DENIED" operation="create" parent=25683 profile="/usr/sbin/tcpdump" pid=14197 comm="tcpdump" family="packet" sock_type="raw" protocol=768
Dec 15 22:20:55 nilesh kernel: [60252.782348] type=1400 audit(1418710855.725:1905): apparmor="DENIED" operation="create" parent=25683 profile="/usr/sbin/tcpdump" pid=14197 comm="tcpdump" family="packet" sock_type="packet" protocol=768
Dec 15 22:20:55 nilesh kernel: [60252.782386] type=1400 audit(1418710855.725:1906): apparmor="DENIED" operation="create" parent=25683 profile="/usr/sbin/tcpdump" pid=14197 comm="tcpdump" family="packet" sock_type="raw" protocol=768
Dec 15 22:20:55 nilesh kernel: [60252.782416] type=1400 audit(1418710855.725:1907): apparmor="DENIED" operation="create" parent=25683 profile="/usr/sbin/tcpdump" pid=14197 comm="tcpdump" family="packet" sock_type="packet" protocol=768
Dec 15 22:20:55 nilesh kernel: [60252.782455] type=1400 audit(1418710855.725:1908): apparmor="DENIED" operation="create" parent=25683 profile="/usr/sbin/tcpdump" pid=14197 comm="tcpdump" family="packet" sock_type="raw" protocol=768
Dec 15 22:20:55 nilesh kernel: [60252.782484] type=1400 audit(1418710855.725:1909): apparmor="DENIED" operation="create" parent=25683 profile="/usr/sbin/tcpdump" pid=14197 comm="tcpdump" family="packet" sock_type="packet" protocol=768
Dec 15 22:20:55 nilesh kernel: [60252.782523] type=1400 audit(1418710855.725:1910): apparmor="DENIED" operation="create" parent=25683 profile="/usr/sbin/tcpdump" pid=14197 comm="tcpdump" family="packet" sock_type="raw" protocol=768
Dec 15 22:20:55 nilesh kernel: [60252.782553] type=1400 audit(1418710855.725:1911): apparmor="DENIED" operation="create" parent=25683 profile="/usr/sbin/tcpdump" pid=14197 comm="tcpdump" family="packet" sock_type="packet" protocol=768
Dec 15 22:20:55 nilesh kernel: [60252.782591] type=1400 audit(1418710855.725:1912): apparmor="DENIED" operation="create" parent=25683 profile="/usr/sbin/tcpdump" pid=14197 comm="tcpdump" family="packet" sock_type="raw" protocol=768
Dec 15 22:20:55 nilesh kernel: [60252.782621] type=1400 audit(1418710855.725:1913): apparmor="DENIED" operation="create" parent=25683 profile="/usr/sbin/tcpdump" pid=14197 comm="tcpdump" family="packet" sock_type="packet" protocol=768
Dec 15 22:20:55 nilesh kernel: [60252.782659] type=1400 audit(1418710855.725:1914): apparmor="DENIED" operation="create" parent=25683 profile="/usr/sbin/tcpdump" pid=14197 comm="tcpdump" family="packet" sock_type="raw" protocol=768
Dec 15 22:20:55 nilesh kernel: [60252.782689] type=1400 audit(1418710855.725:1915): apparmor="DENIED" operation="create" parent=25683 profile="/usr/sbin/tcpdump" pid=14197 comm="tcpdump" family="packet" sock_type="packet" protocol=768
Dec 15 22:20:55 nilesh kernel: [60252.782727] type=1400 audit(1418710855.725:1916): apparmor="DENIED" operation="create" parent=25683 profile="/usr/sbin/tcpdump" pid=14197 comm="tcpdump" family="packet" sock_type="raw" protocol=768
Dec 15 22:20:55 nilesh kernel: [60252.782757] type=1400 audit(1418710855.725:1917): apparmor="DENIED" operation="create" parent=25683 profile="/usr/sbin/tcpdump" pid=14197 comm="tcpdump" family="packet" sock_type="packet" protocol=768
Dec 15 22:20:55 nilesh kernel: [60252.782795] type=1400 audit(1418710855.725:1918): apparmor="DENIED" operation="create" parent=25683 profile="/usr/sbin/tcpdump" pid=14197 comm="tcpdump" family="packet" sock_type="raw" protocol=768
Dec 15 22:20:55 nilesh kernel: [60252.782825] type=1400 audit(1418710855.725:1919): apparmor="DENIED" operation="create" parent=25683 profile="/usr/sbin/tcpdump" pid=14197 comm="tcpdump" family="packet" sock_type="packet" protocol=768
Dec 15 22:20:55 nilesh kernel: [60252.782926] type=1400 audit(1418710855.725:1920): apparmor="DENIED" operation="create" parent=25683 profile="/usr/sbin/tcpdump" pid=14197 comm="tcpdump" family="inet" sock_type="dgram" protocol=0

## profile (parsed)
# vim:syntax=apparmor
# Last Modified: Wed Feb  3 07:58:30 2009
# Author: Jamie Strandboge <jamie@canonical.com>


##included <tunables/global>
# ------------------------------------------------------------------
#
#    Copyright (C) 2006-2009 Novell/SUSE
#    Copyright (C) 2010-2011 Canonical Ltd.
#
#    This program is free software; you can redistribute it and/or
#    modify it under the terms of version 2 of the GNU General Public
#    License published by the Free Software Foundation.
#
# ------------------------------------------------------------------

# All the tunables definitions that should be available to every profile
# should be included here


##included <tunables/home>
# ------------------------------------------------------------------
#
#    Copyright (C) 2006-2009 Novell/SUSE
#    Copyright (C) 2010 Canonical Ltd.
#
#    This program is free software; you can redistribute it and/or
#    modify it under the terms of version 2 of the GNU General Public
#    License published by the Free Software Foundation.
#
# ------------------------------------------------------------------

# @{HOME} is a space-separated list of all user home directories. While
# it doesn't refer to a specific home directory (AppArmor doesn't
# enforce discretionary access controls) it can be used as if it did
# refer to a specific home directory
@{HOME}=@{HOMEDIRS}/*/ /root/

# @{HOMEDIRS} is a space-separated list of where user home directories
# are stored, for programs that must enumerate all home directories on a
# system.
@{HOMEDIRS}=/home/

# Also, include files in tunables/home.d for site-specific adjustments to
# @{HOMEDIRS}.


##included <tunables/home.d>
# This file is auto-generated. It is recommended you update it using:
# $ sudo dpkg-reconfigure apparmor
#
# The following is a space-separated list of where additional user home
# directories are stored, each must have a trailing '/'. Directories added
# here are appended to @{HOMEDIRS}.  See tunables/home for details.
#@{HOMEDIRS}+=


##included <tunables/multiarch>
# ------------------------------------------------------------------
#
#    Copyright (C) 2010 Canonical Ltd.
#
#    This program is free software; you can redistribute it and/or
#    modify it under the terms of version 2 of the GNU General Public
#    License published by the Free Software Foundation.
#
# ------------------------------------------------------------------

# @{multiarch} is the set of patterns matching multi-arch library
# install prefixes.
@{multiarch}=*-linux-gnu*

# Also, include files in tunables/multiarch.d for site and packaging
# specific adjustments to @{multiarch}.


##included <tunables/multiarch.d>


##included <tunables/proc>
# ------------------------------------------------------------------
#
#    Copyright (C) 2006 Novell/SUSE
#
#    This program is free software; you can redistribute it and/or
#    modify it under the terms of version 2 of the GNU General Public
#    License published by the Free Software Foundation.
#
# ------------------------------------------------------------------

# @{PROC} is the location where procfs is mounted.
@{PROC}=/proc/


##included <tunables/alias>
# ------------------------------------------------------------------
#
#    Copyright (C) 2010 Canonical Ltd.
#
#    This program is free software; you can redistribute it and/or
#    modify it under the terms of version 2 of the GNU General Public
#    License published by the Free Software Foundation.
#
# ------------------------------------------------------------------

# Alias rules can be used to rewrite paths and are done after variable
# resolution. For example, if '/usr' is on removable media:
# alias /usr/ -> /mnt/usr/,
#
# Or if mysql databases are stored in /home:
# alias /var/lib/mysql/ -> /home/mysql/,


/usr/sbin/tcpdump flags=(complain) {


##included <abstractions/base>
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
#    Copyright (C) 2002-2009 Novell/SUSE
#    Copyright (C) 2009-2011 Canonical Ltd.
#
#    This program is free software; you can redistribute it and/or
#    modify it under the terms of version 2 of the GNU General Public
#    License published by the Free Software Foundation.
#
# ------------------------------------------------------------------


  # (Note that the ldd profile has inlined this file; if you make
  # modifications here, please consider including them in the ldd
  # profile as well.)

  # The __canary_death_handler function writes a time-stamped log
  # message to /dev/log for logging by syslogd. So, /dev/log, timezones,
  # and localisations of date should be available EVERYWHERE, so
  # StackGuard, FormatGuard, etc., alerts can be properly logged.
  /dev/log                       w,
  /dev/random                    r,
  /dev/urandom                   r,
  /etc/locale/**                 r,
  /etc/locale.alias              r,
  /etc/localtime                 r,
  /usr/share/locale-langpack/**  r,
  /usr/share/locale/**           r,
  /usr/share/**/locale/**        r,
  /usr/share/zoneinfo/           r,
  /usr/share/zoneinfo/**         r,
  /usr/share/X11/locale/**       r,

  /usr/lib{,32,64}/locale/**             mr,
  /usr/lib{,32,64}/gconv/*.so            mr,
  /usr/lib{,32,64}/gconv/gconv-modules*  mr,
  /usr/lib/@{multiarch}/gconv/*.so          mr,
  /usr/lib/@{multiarch}/gconv/gconv-modules mr,

  # used by glibc when binding to ephemeral ports
  /etc/bindresvport.blacklist    r,

  # ld.so.cache and ld are used to load shared libraries; they are best
  # available everywhere
  /etc/ld.so.cache               mr,
  /lib{,32,64}/ld{,32,64}-*.so   mrix,
  /lib{,32,64}/**/ld{,32,64}-*.so     mrix,
  /lib/@{multiarch}/ld{,32,64}-*.so    mrix,
  /lib/tls/i686/{cmov,nosegneg}/ld-*.so     mrix,
  /lib/i386-linux-gnu/tls/i686/{cmov,nosegneg}/ld-*.so     mrix,
  /opt/*-linux-uclibc/lib/ld-uClibc*so* mrix,

  # we might as well allow everything to use common libraries
  /lib{,32,64}/**                r,
  /lib{,32,64}/lib*.so*          mr,
  /lib{,32,64}/**/lib*.so*       mr,
  /lib/@{multiarch}/**            r,
  /lib/@{multiarch}/lib*.so*      mr,
  /lib/@{multiarch}/**/lib*.so*   mr,
  /usr/lib{,32,64}/**            r,
  /usr/lib{,32,64}/*.so*         mr,
  /usr/lib{,32,64}/**/lib*.so*   mr,
  /usr/lib/@{multiarch}/**          r,
  /usr/lib/@{multiarch}/lib*.so*    mr,
  /usr/lib/@{multiarch}/**/lib*.so* mr,
  /lib/tls/i686/{cmov,nosegneg}/lib*.so*    mr,
  /lib/i386-linux-gnu/tls/i686/{cmov,nosegneg}/lib*.so*    mr,

  # /dev/null is pretty harmless and frequently used
  /dev/null                      rw,
  # as is /dev/zero
  /dev/zero                      rw,
  # recent glibc uses /dev/full in preference to /dev/null for programs
  # that don't have open fds at exec()
  /dev/full                      rw,

  # Sometimes used to determine kernel/user interfaces to use
  @{PROC}/sys/kernel/version     r,
  # Depending on which glibc routine uses this file, base may not be the
  # best place -- but many profiles require it, and it is quite harmless.
  @{PROC}/sys/kernel/ngroups_max r,

  # glibc's sysconf(3) routine to determine free memory, etc
  @{PROC}/meminfo                r,
  @{PROC}/stat                   r,
  @{PROC}/cpuinfo                r,

  # glibc's *printf protections read the maps file
  @{PROC}/*/maps                 r,

  # libgcrypt reads some flags from /proc
  @{PROC}/sys/crypto/*           r,

  # some applications will display license information
  /usr/share/common-licenses/**  r,

  # glibc statvfs
  @{PROC}/filesystems            r,

  # Workaround https://launchpad.net/bugs/359338 until upstream handles stacked
  # filesystems generally. This does not appreciably decrease security with
  # Ubuntu profiles because the user is expected to have access to files owned
  # by him/her. Exceptions to this are explicit in the profiles. While this rule
  # grants access to those exceptions, the intended privacy is maintained due to
  # the encrypted contents of the files in this directory. Files in this
  # directory will also use filename encryption by default, so the files are
  # further protected. Also, with the use of 'owner', this rule properly
  # prevents access to the files from processes running under a different uid.

  # encrypted ~/.Private and old-style encrypted $HOME
  owner @{HOME}/.Private/** mrixwlk,
  # new-style encrypted $HOME
  owner @{HOMEDIRS}/.ecryptfs/*/.Private/** mrixwlk,


##included <abstractions/nameservice>
# ------------------------------------------------------------------
#
#    Copyright (C) 2002-2009 Novell/SUSE
#    Copyright (C) 2009-2011 Canonical Ltd.
#
#    This program is free software; you can redistribute it and/or
#    modify it under the terms of version 2 of the GNU General Public
#    License published by the Free Software Foundation.
#
# ------------------------------------------------------------------

  # Many programs wish to perform nameservice-like operations, such as
  # looking up users by name or id, groups by name or id, hosts by name
  # or IP, etc. These operations may be performed through files, dns,
  # NIS, NIS+, LDAP, hesiod, wins, etc. Allow them all here.
  /etc/group              r,
  /etc/host.conf          r,
  /etc/hosts              r,
  /etc/ldap.conf          r,
  /etc/ldap.secret        r,
  /etc/nsswitch.conf      r,
  /etc/gai.conf           r,
  /etc/passwd             r,
  /etc/protocols          r,

  /etc/resolv.conf        r,
  # on systems using resolvconf, /etc/resolv.conf is a symlink to
  # /var/run/resolvconf/resolv.conf and a file sometimes referenced in
  # /etc/resolvconf/run/resolv.conf
  /var/run/resolvconf/resolv.conf r,
  /etc/resolvconf/run/resolv.conf r,

  /etc/samba/lmhosts      r,
  /etc/services           r,
  # all openldap config
  /etc/openldap/*         r,
  /etc/ldap/**            r,
  # db backend
  /var/lib/misc/*.db      r,
  # The Name Service Cache Daemon can cache lookups, sometimes leading
  # to vast speed increases when working with network-based lookups.
  /var/run/.nscd_socket   rw,
  /var/run/nscd/socket    rw,
  /var/{db,cache,run}/nscd/{passwd,group,services,host}    r,
  # nscd renames and unlinks files in it's operation that clients will
  # have open
  /var/run/nscd/db*  rmix,

  # The nss libraries are sometimes used in addition to PAM; make sure
  # they are available
  /lib{,32,64}/libnss_*.so*      mr,
  /usr/lib{,32,64}/libnss_*.so*  mr,
  /lib/@{multiarch}/libnss_*.so*      mr,
  /usr/lib/@{multiarch}/libnss_*.so*  mr,
  /etc/default/nss               r,

  # avahi-daemon is used for mdns4 resolution
  /var/run/avahi-daemon/socket w,

  # nis


##included <abstractions/nis>
# ------------------------------------------------------------------
#
#    Copyright (C) 2002-2006 Novell/SUSE
#
#    This program is free software; you can redistribute it and/or
#    modify it under the terms of version 2 of the GNU General Public
#    License published by the Free Software Foundation.
#
# ------------------------------------------------------------------

  # NIS rules
  /var/yp/binding/*           r,
  # portmapper may ask root processes to do nis/ldap at low ports
  capability net_bind_service,


  # winbind


##included <abstractions/winbind>
# ------------------------------------------------------------------
#
#    Copyright (C) 2002-2009 Novell/SUSE
#    Copyright (C) 2009 Canonical Ltd.
#
#    This program is free software; you can redistribute it and/or
#    modify it under the terms of version 2 of the GNU General Public
#    License published by the Free Software Foundation.
#
# ------------------------------------------------------------------

  # pam_winbindd
  /tmp/.winbindd/pipe  rw,
  /var/{lib,run}/samba/winbindd_privileged/pipe rw,
  /etc/samba/smb.conf         r,
  /usr/lib/samba/valid.dat    r,
  /usr/lib/samba/upcase.dat   r,
  /usr/lib/samba/lowcase.dat  r,


  # likewise


##included <abstractions/likewise>
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
#    Copyright (C) 2009 Canonical Ltd.
#
#    This program is free software; you can redistribute it and/or
#    modify it under the terms of version 2 of the GNU General Public
#    License published by the Free Software Foundation.
#
# ------------------------------------------------------------------

  /tmp/.lwidentity/pipe       rw,
  /var/lib/likewise-open/lwidentity_privileged/pipe rw,


  # mdnsd


##included <abstractions/mdns>
# ------------------------------------------------------------------
#
#    Copyright (C) 2002-2006 Novell/SUSE
#
#    This program is free software; you can redistribute it and/or
#    modify it under the terms of version 2 of the GNU General Public
#    License published by the Free Software Foundation.
#
# ------------------------------------------------------------------

  # mdnsd
  /etc/nss_mdns.conf r,
  /var/run/mdnsd w,


  # kerberos


##included <abstractions/kerberosclient>
# ------------------------------------------------------------------
#
#    Copyright (C) 2002-2009 Novell/SUSE
#    Copyright (C) 2009-2011 Canonical Ltd.
#
#    This program is free software; you can redistribute it and/or
#    modify it under the terms of version 2 of the GNU General Public
#    License published by the Free Software Foundation.
#
# ------------------------------------------------------------------

  # files required by kerberos client programs
  /usr/lib{,32,64}/krb5/plugins/libkrb5/ r,
  /usr/lib{,32,64}/krb5/plugins/libkrb5/* mr,
  /usr/lib/@{multiarch}/krb5/plugins/libkrb5/ r,
  /usr/lib/@{multiarch}/krb5/plugins/libkrb5/* mr,

  /usr/lib{,32,64}/krb5/plugins/preauth/ r,
  /usr/lib{,32,64}/krb5/plugins/preauth/* mr,
  /usr/lib/@{multiarch}/krb5/plugins/preauth/ r,
  /usr/lib/@{multiarch}/krb5/plugins/preauth/* mr,

  /etc/krb5.keytab            r,
  /etc/krb5.conf              r,

  # config files found via strings on libs
  /etc/krb.conf               r,
  /etc/krb.realms             r,
  /etc/srvtab                 r,

  # credential caches
  /tmp/krb5cc* r,


  # TCP/UDP network access
  network inet  stream,
  network inet6 stream,
  network inet  dgram,
  network inet6 dgram,

  # interface details
  @{PROC}/*/net/route r,


##included <abstractions/user-tmp>
# ------------------------------------------------------------------
#
#    Copyright (C) 2002-2009 Novell/SUSE
#    Copyright (C) 2009-2010 Canonical Ltd.
#
#    This program is free software; you can redistribute it and/or
#    modify it under the terms of version 2 of the GNU General Public
#    License published by the Free Software Foundation.
#
# ------------------------------------------------------------------

  # per-user tmp directories
  owner @{HOME}/tmp/**  rwkl,
  owner @{HOME}/tmp/    rw,

  # global tmp directories
  owner /var/tmp/**     rwkl,
  /var/tmp/             rw,
  owner /tmp/**         rwkl,
  /tmp/                 rw,


  capability net_raw,
  capability setuid,
  capability setgid,
  capability dac_override,
  network raw,
  network packet,

  # for -D
  capability sys_module,
  @{PROC}/bus/usb/ r,
  @{PROC}/bus/usb/** r,

  # for finding an interface
  @{PROC}/[0-9]*/net/dev r,
  /sys/bus/usb/devices/ r,
  /sys/class/net/ r,
  /sys/devices/**/net/* r,

  # for tracing USB bus, which libpcap supports
  /dev/usbmon* r,
  /dev/bus/usb/ r,
  /dev/bus/usb/** r,

  # for init_etherarray(), with -e
  /etc/ethers r,

  # for USB probing (see libpcap-1.1.x/pcap-usb-linux.c:probe_devices())
  /dev/bus/usb/**/[0-9]* w,

  # for -F and -w
  audit deny @{HOME}/.* mrwkl,
  audit deny @{HOME}/.*/ rw,
  audit deny @{HOME}/.*/** mrwkl,
  audit deny @{HOME}/bin/ rw,
  audit deny @{HOME}/bin/** mrwkl,
  owner @{HOME}/ r,
  owner @{HOME}/** rw,
  /usr/local/** rw,
  /usr/sbin/tcpdump r,

  # Site-specific additions and overrides. See local/README for details.


##included <local/usr.sbin.tcpdump>
# Site-specific additions and overrides for usr.sbin.tcpdump.
# For more details, please see /etc/apparmor.d/local/README.

}
	Dec 15 22:20:55 nilesh kernel: [60252.781731] type=1400 audit(1418710855.725:1890): apparmor="DENIED" operation="create" parent=25683 profile="/usr/sbin/tcpdump" pid=14197 comm="tcpdump" family="packet" sock_type="raw" protocol=768
	Dec 15 22:20:55 nilesh kernel: [60252.781832] type=1400 audit(1418710855.725:1891): apparmor="DENIED" operation="create" parent=25683 profile="/usr/sbin/tcpdump" pid=14197 comm="tcpdump" family="packet" sock_type="packet" protocol=768
	Dec 15 22:20:55 nilesh kernel: [60252.781893] type=1400 audit(1418710855.725:1892): apparmor="DENIED" operation="create" parent=25683 profile="/usr/sbin/tcpdump" pid=14197 comm="tcpdump" family="packet" sock_type="raw" protocol=768
	Dec 15 22:20:55 nilesh kernel: [60252.781926] type=1400 audit(1418710855.725:1893): apparmor="DENIED" operation="create" parent=25683 profile="/usr/sbin/tcpdump" pid=14197 comm="tcpdump" family="packet" sock_type="packet" protocol=768
	Dec 15 22:20:55 nilesh kernel: [60252.781968] type=1400 audit(1418710855.725:1894): apparmor="DENIED" operation="create" parent=25683 profile="/usr/sbin/tcpdump" pid=14197 comm="tcpdump" family="packet" sock_type="raw" protocol=768
	Dec 15 22:20:55 nilesh kernel: [60252.782000] type=1400 audit(1418710855.725:1895): apparmor="DENIED" operation="create" parent=25683 profile="/usr/sbin/tcpdump" pid=14197 comm="tcpdump" family="packet" sock_type="packet" protocol=768
	Dec 15 22:20:55 nilesh kernel: [60252.782040] type=1400 audit(1418710855.725:1896): apparmor="DENIED" operation="create" parent=25683 profile="/usr/sbin/tcpdump" pid=14197 comm="tcpdump" family="packet" sock_type="raw" protocol=768
	Dec 15 22:20:55 nilesh kernel: [60252.782071] type=1400 audit(1418710855.725:1897): apparmor="DENIED" operation="create" parent=25683 profile="/usr/sbin/tcpdump" pid=14197 comm="tcpdump" family="packet" sock_type="packet" protocol=768
	Dec 15 22:20:55 nilesh kernel: [60252.782111] type=1400 audit(1418710855.725:1898): apparmor="DENIED" operation="create" parent=25683 profile="/usr/sbin/tcpdump" pid=14197 comm="tcpdump" family="packet" sock_type="raw" protocol=768
	Dec 15 22:20:55 nilesh kernel: [60252.782141] type=1400 audit(1418710855.725:1899): apparmor="DENIED" operation="create" parent=25683 profile="/usr/sbin/tcpdump" pid=14197 comm="tcpdump" family="packet" sock_type="packet" protocol=768
	Dec 15 22:20:55 nilesh kernel: [60252.782180] type=1400 audit(1418710855.725:1900): apparmor="DENIED" operation="create" parent=25683 profile="/usr/sbin/tcpdump" pid=14197 comm="tcpdump" family="packet" sock_type="raw" protocol=768
	Dec 15 22:20:55 nilesh kernel: [60252.782211] type=1400 audit(1418710855.725:1901): apparmor="DENIED" operation="create" parent=25683 profile="/usr/sbin/tcpdump" pid=14197 comm="tcpdump" family="packet" sock_type="packet" protocol=768
	Dec 15 22:20:55 nilesh kernel: [60252.782249] type=1400 audit(1418710855.725:1902): apparmor="DENIED" operation="create" parent=25683 profile="/usr/sbin/tcpdump" pid=14197 comm="tcpdump" family="packet" sock_type="raw" protocol=768
	Dec 15 22:20:55 nilesh kernel: [60252.782279] type=1400 audit(1418710855.725:1903): apparmor="DENIED" operation="create" parent=25683 profile="/usr/sbin/tcpdump" pid=14197 comm="tcpdump" family="packet" sock_type="packet" protocol=768
	Dec 15 22:20:55 nilesh kernel: [60252.782318] type=1400 audit(1418710855.725:1904): apparmor="DENIED" operation="create" parent=25683 profile="/usr/sbin/tcpdump" pid=14197 comm="tcpdump" family="packet" sock_type="raw" protocol=768
	Dec 15 22:20:55 nilesh kernel: [60252.782348] type=1400 audit(1418710855.725:1905): apparmor="DENIED" operation="create" parent=25683 profile="/usr/sbin/tcpdump" pid=14197 comm="tcpdump" family="packet" sock_type="packet" protocol=768
	Dec 15 22:20:55 nilesh kernel: [60252.782386] type=1400 audit(1418710855.725:1906): apparmor="DENIED" operation="create" parent=25683 profile="/usr/sbin/tcpdump" pid=14197 comm="tcpdump" family="packet" sock_type="raw" protocol=768
	Dec 15 22:20:55 nilesh kernel: [60252.782416] type=1400 audit(1418710855.725:1907): apparmor="DENIED" operation="create" parent=25683 profile="/usr/sbin/tcpdump" pid=14197 comm="tcpdump" family="packet" sock_type="packet" protocol=768
	Dec 15 22:20:55 nilesh kernel: [60252.782455] type=1400 audit(1418710855.725:1908): apparmor="DENIED" operation="create" parent=25683 profile="/usr/sbin/tcpdump" pid=14197 comm="tcpdump" family="packet" sock_type="raw" protocol=768
	Dec 15 22:20:55 nilesh kernel: [60252.782484] type=1400 audit(1418710855.725:1909): apparmor="DENIED" operation="create" parent=25683 profile="/usr/sbin/tcpdump" pid=14197 comm="tcpdump" family="packet" sock_type="packet" protocol=768
	Dec 15 22:20:55 nilesh kernel: [60252.782523] type=1400 audit(1418710855.725:1910): apparmor="DENIED" operation="create" parent=25683 profile="/usr/sbin/tcpdump" pid=14197 comm="tcpdump" family="packet" sock_type="raw" protocol=768
	Dec 15 22:20:55 nilesh kernel: [60252.782553] type=1400 audit(1418710855.725:1911): apparmor="DENIED" operation="create" parent=25683 profile="/usr/sbin/tcpdump" pid=14197 comm="tcpdump" family="packet" sock_type="packet" protocol=768
	Dec 15 22:20:55 nilesh kernel: [60252.782591] type=1400 audit(1418710855.725:1912): apparmor="DENIED" operation="create" parent=25683 profile="/usr/sbin/tcpdump" pid=14197 comm="tcpdump" family="packet" sock_type="raw" protocol=768
	Dec 15 22:20:55 nilesh kernel: [60252.782621] type=1400 audit(1418710855.725:1913): apparmor="DENIED" operation="create" parent=25683 profile="/usr/sbin/tcpdump" pid=14197 comm="tcpdump" family="packet" sock_type="packet" protocol=768
	Dec 15 22:20:55 nilesh kernel: [60252.782659] type=1400 audit(1418710855.725:1914): apparmor="DENIED" operation="create" parent=25683 profile="/usr/sbin/tcpdump" pid=14197 comm="tcpdump" family="packet" sock_type="raw" protocol=768
	Dec 15 22:20:55 nilesh kernel: [60252.782689] type=1400 audit(1418710855.725:1915): apparmor="DENIED" operation="create" parent=25683 profile="/usr/sbin/tcpdump" pid=14197 comm="tcpdump" family="packet" sock_type="packet" protocol=768
	Dec 15 22:20:55 nilesh kernel: [60252.782727] type=1400 audit(1418710855.725:1916): apparmor="DENIED" operation="create" parent=25683 profile="/usr/sbin/tcpdump" pid=14197 comm="tcpdump" family="packet" sock_type="raw" protocol=768
	Dec 15 22:20:55 nilesh kernel: [60252.782757] type=1400 audit(1418710855.725:1917): apparmor="DENIED" operation="create" parent=25683 profile="/usr/sbin/tcpdump" pid=14197 comm="tcpdump" family="packet" sock_type="packet" protocol=768
	Dec 15 22:20:55 nilesh kernel: [60252.782795] type=1400 audit(1418710855.725:1918): apparmor="DENIED" operation="create" parent=25683 profile="/usr/sbin/tcpdump" pid=14197 comm="tcpdump" family="packet" sock_type="raw" protocol=768
	Dec 15 22:20:55 nilesh kernel: [60252.782825] type=1400 audit(1418710855.725:1919): apparmor="DENIED" operation="create" parent=25683 profile="/usr/sbin/tcpdump" pid=14197 comm="tcpdump" family="packet" sock_type="packet" protocol=768
	Dec 15 22:20:55 nilesh kernel: [60252.782926] type=1400 audit(1418710855.725:1920): apparmor="DENIED" operation="create" parent=25683 profile="/usr/sbin/tcpdump" pid=14197 comm="tcpdump" family="inet" sock_type="dgram" protocol=0
	# vim:syntax=apparmor
	# Last Modified: Wed Feb 3 07:58:30 2009
	# Author: Jamie Strandboge <jamie@canonical.com>


	##included <tunables/global>
	# ------------------------------------------------------------------
	#
	# Copyright (C) 2006-2009 Novell/SUSE
	# Copyright (C) 2010-2011 Canonical Ltd.
	#
	# This program is free software; you can redistribute it and/or
	# modify it under the terms of version 2 of the GNU General Public
	# License published by the Free Software Foundation.
	#
	# ------------------------------------------------------------------

	# All the tunables definitions that should be available to every profile
	# should be included here



	##included <tunables/home>
	# ------------------------------------------------------------------
	#
	# Copyright (C) 2006-2009 Novell/SUSE
	# Copyright (C) 2010 Canonical Ltd.
	#
	# This program is free software; you can redistribute it and/or
	# modify it under the terms of version 2 of the GNU General Public
	# License published by the Free Software Foundation.
	#
	# ------------------------------------------------------------------

	# @{HOME} is a space-separated list of all user home directories. While
	# it doesn't refer to a specific home directory (AppArmor doesn't
	# enforce discretionary access controls) it can be used as if it did
	# refer to a specific home directory
	@{HOME}=@{HOMEDIRS}/*/ /root/

	# @{HOMEDIRS} is a space-separated list of where user home directories
	# are stored, for programs that must enumerate all home directories on a
	# system.
	@{HOMEDIRS}=/home/

	# Also, include files in tunables/home.d for site-specific adjustments to
	# @{HOMEDIRS}.


	##included <tunables/home.d>
	# This file is auto-generated. It is recommended you update it using:
	# $ sudo dpkg-reconfigure apparmor
	#
	# The following is a space-separated list of where additional user home
	# directories are stored, each must have a trailing '/'. Directories added
	# here are appended to @{HOMEDIRS}. See tunables/home for details.
	#@{HOMEDIRS}+=




	##included <tunables/multiarch>
	# ------------------------------------------------------------------
	#
	# Copyright (C) 2010 Canonical Ltd.
	#
	# This program is free software; you can redistribute it and/or
	# modify it under the terms of version 2 of the GNU General Public
	# License published by the Free Software Foundation.
	#
	# ------------------------------------------------------------------

	# @{multiarch} is the set of patterns matching multi-arch library
	# install prefixes.
	@{multiarch}=-linux-gnu

	# Also, include files in tunables/multiarch.d for site and packaging
	# specific adjustments to @{multiarch}.


	##included <tunables/multiarch.d>




	##included <tunables/proc>
	# ------------------------------------------------------------------
	#
	# Copyright (C) 2006 Novell/SUSE
	#
	# This program is free software; you can redistribute it and/or
	# modify it under the terms of version 2 of the GNU General Public
	# License published by the Free Software Foundation.
	#
	# ------------------------------------------------------------------

	# @{PROC} is the location where procfs is mounted.
	@{PROC}=/proc/



	##included <tunables/alias>
	# ------------------------------------------------------------------
	#
	# Copyright (C) 2010 Canonical Ltd.
	#
	# This program is free software; you can redistribute it and/or
	# modify it under the terms of version 2 of the GNU General Public
	# License published by the Free Software Foundation.
	#
	# ------------------------------------------------------------------

	# Alias rules can be used to rewrite paths and are done after variable
	# resolution. For example, if '/usr' is on removable media:
	# alias /usr/ -> /mnt/usr/,
	#
	# Or if mysql databases are stored in /home:
	# alias /var/lib/mysql/ -> /home/mysql/,



	/usr/sbin/tcpdump flags=(complain) {


	##included <abstractions/base>
	# vim:syntax=apparmor
	# ------------------------------------------------------------------
	#
	# Copyright (C) 2002-2009 Novell/SUSE
	# Copyright (C) 2009-2011 Canonical Ltd.
	#
	# This program is free software; you can redistribute it and/or
	# modify it under the terms of version 2 of the GNU General Public
	# License published by the Free Software Foundation.
	#
	# ------------------------------------------------------------------



	# (Note that the ldd profile has inlined this file; if you make
	# modifications here, please consider including them in the ldd
	# profile as well.)

	# The __canary_death_handler function writes a time-stamped log
	# message to /dev/log for logging by syslogd. So, /dev/log, timezones,
	# and localisations of date should be available EVERYWHERE, so
	# StackGuard, FormatGuard, etc., alerts can be properly logged.
	/dev/log w,
	/dev/random r,
	/dev/urandom r,
	/etc/locale/** r,
	/etc/locale.alias r,
	/etc/localtime r,
	/usr/share/locale-langpack/** r,
	/usr/share/locale/** r,
	/usr/share//locale/ r,
	/usr/share/zoneinfo/ r,
	/usr/share/zoneinfo/** r,
	/usr/share/X11/locale/** r,

	/usr/lib{,32,64}/locale/** mr,
	/usr/lib{,32,64}/gconv/*.so mr,
	/usr/lib{,32,64}/gconv/gconv-modules* mr,
	/usr/lib/@{multiarch}/gconv/*.so mr,
	/usr/lib/@{multiarch}/gconv/gconv-modules mr,

	# used by glibc when binding to ephemeral ports
	/etc/bindresvport.blacklist r,

	# ld.so.cache and ld are used to load shared libraries; they are best
	# available everywhere
	/etc/ld.so.cache mr,
	/lib{,32,64}/ld{,32,64}-*.so mrix,
	/lib{,32,64}/*/ld{,32,64}-.so mrix,
	/lib/@{multiarch}/ld{,32,64}-*.so mrix,
	/lib/tls/i686/{cmov,nosegneg}/ld-*.so mrix,
	/lib/i386-linux-gnu/tls/i686/{cmov,nosegneg}/ld-*.so mrix,
	/opt/-linux-uclibc/lib/ld-uClibcso* mrix,

	# we might as well allow everything to use common libraries
	/lib{,32,64}/** r,
	/lib{,32,64}/lib.so mr,
	/lib{,32,64}/*/lib.so* mr,
	/lib/@{multiarch}/** r,
	/lib/@{multiarch}/lib.so mr,
	/lib/@{multiarch}/*/lib.so* mr,
	/usr/lib{,32,64}/** r,
	/usr/lib{,32,64}/.so mr,
	/usr/lib{,32,64}/*/lib.so* mr,
	/usr/lib/@{multiarch}/** r,
	/usr/lib/@{multiarch}/lib.so mr,
	/usr/lib/@{multiarch}/*/lib.so* mr,
	/lib/tls/i686/{cmov,nosegneg}/lib.so mr,
	/lib/i386-linux-gnu/tls/i686/{cmov,nosegneg}/lib.so mr,

	# /dev/null is pretty harmless and frequently used
	/dev/null rw,
	# as is /dev/zero
	/dev/zero rw,
	# recent glibc uses /dev/full in preference to /dev/null for programs
	# that don't have open fds at exec()
	/dev/full rw,

	# Sometimes used to determine kernel/user interfaces to use
	@{PROC}/sys/kernel/version r,
	# Depending on which glibc routine uses this file, base may not be the
	# best place -- but many profiles require it, and it is quite harmless.
	@{PROC}/sys/kernel/ngroups_max r,

	# glibc's sysconf(3) routine to determine free memory, etc
	@{PROC}/meminfo r,
	@{PROC}/stat r,
	@{PROC}/cpuinfo r,

	# glibc's *printf protections read the maps file
	@{PROC}/*/maps r,

	# libgcrypt reads some flags from /proc
	@{PROC}/sys/crypto/* r,

	# some applications will display license information
	/usr/share/common-licenses/** r,

	# glibc statvfs
	@{PROC}/filesystems r,

	# Workaround https://launchpad.net/bugs/359338 until upstream handles stacked
	# filesystems generally. This does not appreciably decrease security with
	# Ubuntu profiles because the user is expected to have access to files owned
	# by him/her. Exceptions to this are explicit in the profiles. While this rule
	# grants access to those exceptions, the intended privacy is maintained due to
	# the encrypted contents of the files in this directory. Files in this
	# directory will also use filename encryption by default, so the files are
	# further protected. Also, with the use of 'owner', this rule properly
	# prevents access to the files from processes running under a different uid.

	# encrypted ~/.Private and old-style encrypted $HOME
	owner @{HOME}/.Private/** mrixwlk,
	# new-style encrypted $HOME
	owner @{HOMEDIRS}/.ecryptfs//.Private/* mrixwlk,




	##included <abstractions/nameservice>
	# ------------------------------------------------------------------
	#
	# Copyright (C) 2002-2009 Novell/SUSE
	# Copyright (C) 2009-2011 Canonical Ltd.
	#
	# This program is free software; you can redistribute it and/or
	# modify it under the terms of version 2 of the GNU General Public
	# License published by the Free Software Foundation.
	#
	# ------------------------------------------------------------------

	# Many programs wish to perform nameservice-like operations, such as
	# looking up users by name or id, groups by name or id, hosts by name
	# or IP, etc. These operations may be performed through files, dns,
	# NIS, NIS+, LDAP, hesiod, wins, etc. Allow them all here.
	/etc/group r,
	/etc/host.conf r,
	/etc/hosts r,
	/etc/ldap.conf r,
	/etc/ldap.secret r,
	/etc/nsswitch.conf r,
	/etc/gai.conf r,
	/etc/passwd r,
	/etc/protocols r,

	/etc/resolv.conf r,
	# on systems using resolvconf, /etc/resolv.conf is a symlink to
	# /var/run/resolvconf/resolv.conf and a file sometimes referenced in
	# /etc/resolvconf/run/resolv.conf
	/var/run/resolvconf/resolv.conf r,
	/etc/resolvconf/run/resolv.conf r,

	/etc/samba/lmhosts r,
	/etc/services r,
	# all openldap config
	/etc/openldap/* r,
	/etc/ldap/** r,
	# db backend
	/var/lib/misc/*.db r,
	# The Name Service Cache Daemon can cache lookups, sometimes leading
	# to vast speed increases when working with network-based lookups.
	/var/run/.nscd_socket rw,
	/var/run/nscd/socket rw,
	/var/{db,cache,run}/nscd/{passwd,group,services,host} r,
	# nscd renames and unlinks files in it's operation that clients will
	# have open
	/var/run/nscd/db* rmix,

	# The nss libraries are sometimes used in addition to PAM; make sure
	# they are available
	/lib{,32,64}/libnss_.so mr,
	/usr/lib{,32,64}/libnss_.so mr,
	/lib/@{multiarch}/libnss_.so mr,
	/usr/lib/@{multiarch}/libnss_.so mr,
	/etc/default/nss r,

	# avahi-daemon is used for mdns4 resolution
	/var/run/avahi-daemon/socket w,

	# nis


	##included <abstractions/nis>
	# ------------------------------------------------------------------
	#
	# Copyright (C) 2002-2006 Novell/SUSE
	#
	# This program is free software; you can redistribute it and/or
	# modify it under the terms of version 2 of the GNU General Public
	# License published by the Free Software Foundation.
	#
	# ------------------------------------------------------------------

	# NIS rules
	/var/yp/binding/* r,
	# portmapper may ask root processes to do nis/ldap at low ports
	capability net_bind_service,



	# winbind


	##included <abstractions/winbind>
	# ------------------------------------------------------------------
	#
	# Copyright (C) 2002-2009 Novell/SUSE
	# Copyright (C) 2009 Canonical Ltd.
	#
	# This program is free software; you can redistribute it and/or
	# modify it under the terms of version 2 of the GNU General Public
	# License published by the Free Software Foundation.
	#
	# ------------------------------------------------------------------

	# pam_winbindd
	/tmp/.winbindd/pipe rw,
	/var/{lib,run}/samba/winbindd_privileged/pipe rw,
	/etc/samba/smb.conf r,
	/usr/lib/samba/valid.dat r,
	/usr/lib/samba/upcase.dat r,
	/usr/lib/samba/lowcase.dat r,



	# likewise


	##included <abstractions/likewise>
	# vim:syntax=apparmor
	# ------------------------------------------------------------------
	#
	# Copyright (C) 2009 Canonical Ltd.
	#
	# This program is free software; you can redistribute it and/or
	# modify it under the terms of version 2 of the GNU General Public
	# License published by the Free Software Foundation.
	#
	# ------------------------------------------------------------------

	/tmp/.lwidentity/pipe rw,
	/var/lib/likewise-open/lwidentity_privileged/pipe rw,


	# mdnsd


	##included <abstractions/mdns>
	# ------------------------------------------------------------------
	#
	# Copyright (C) 2002-2006 Novell/SUSE
	#
	# This program is free software; you can redistribute it and/or
	# modify it under the terms of version 2 of the GNU General Public
	# License published by the Free Software Foundation.
	#
	# ------------------------------------------------------------------

	# mdnsd
	/etc/nss_mdns.conf r,
	/var/run/mdnsd w,


	# kerberos


	##included <abstractions/kerberosclient>
	# ------------------------------------------------------------------
	#
	# Copyright (C) 2002-2009 Novell/SUSE
	# Copyright (C) 2009-2011 Canonical Ltd.
	#
	# This program is free software; you can redistribute it and/or
	# modify it under the terms of version 2 of the GNU General Public
	# License published by the Free Software Foundation.
	#
	# ------------------------------------------------------------------

	# files required by kerberos client programs
	/usr/lib{,32,64}/krb5/plugins/libkrb5/ r,
	/usr/lib{,32,64}/krb5/plugins/libkrb5/* mr,
	/usr/lib/@{multiarch}/krb5/plugins/libkrb5/ r,
	/usr/lib/@{multiarch}/krb5/plugins/libkrb5/* mr,

	/usr/lib{,32,64}/krb5/plugins/preauth/ r,
	/usr/lib{,32,64}/krb5/plugins/preauth/* mr,
	/usr/lib/@{multiarch}/krb5/plugins/preauth/ r,
	/usr/lib/@{multiarch}/krb5/plugins/preauth/* mr,

	/etc/krb5.keytab r,
	/etc/krb5.conf r,

	# config files found via strings on libs
	/etc/krb.conf r,
	/etc/krb.realms r,
	/etc/srvtab r,

	# credential caches
	/tmp/krb5cc* r,


	# TCP/UDP network access
	network inet stream,
	network inet6 stream,
	network inet dgram,
	network inet6 dgram,

	# interface details
	@{PROC}/*/net/route r,



	##included <abstractions/user-tmp>
	# ------------------------------------------------------------------
	#
	# Copyright (C) 2002-2009 Novell/SUSE
	# Copyright (C) 2009-2010 Canonical Ltd.
	#
	# This program is free software; you can redistribute it and/or
	# modify it under the terms of version 2 of the GNU General Public
	# License published by the Free Software Foundation.
	#
	# ------------------------------------------------------------------

	# per-user tmp directories
	owner @{HOME}/tmp/** rwkl,
	owner @{HOME}/tmp/ rw,

	# global tmp directories
	owner /var/tmp/** rwkl,
	/var/tmp/ rw,
	owner /tmp/** rwkl,
	/tmp/ rw,


	capability net_raw,
	capability setuid,
	capability setgid,
	capability dac_override,
	network raw,
	network packet,

	# for -D
	capability sys_module,
	@{PROC}/bus/usb/ r,
	@{PROC}/bus/usb/** r,

	# for finding an interface
	@{PROC}/[0-9]*/net/dev r,
	/sys/bus/usb/devices/ r,
	/sys/class/net/ r,
	/sys/devices/*/net/ r,

	# for tracing USB bus, which libpcap supports
	/dev/usbmon* r,
	/dev/bus/usb/ r,
	/dev/bus/usb/** r,

	# for init_etherarray(), with -e
	/etc/ethers r,

	# for USB probing (see libpcap-1.1.x/pcap-usb-linux.c:probe_devices())
	/dev/bus/usb/*/[0-9] w,

	# for -F and -w
	audit deny @{HOME}/.* mrwkl,
	audit deny @{HOME}/.*/ rw,
	audit deny @{HOME}/./* mrwkl,
	audit deny @{HOME}/bin/ rw,
	audit deny @{HOME}/bin/** mrwkl,
	owner @{HOME}/ r,
	owner @{HOME}/** rw,
	/usr/local/** rw,
	/usr/sbin/tcpdump r,

	# Site-specific additions and overrides. See local/README for details.


	##included <local/usr.sbin.tcpdump>
	# Site-specific additions and overrides for usr.sbin.tcpdump.
	# For more details, please see /etc/apparmor.d/local/README.

	}