[tacacs]: Fix tcpdump report error when tacacs enabled (sonic-net#16372) (sonic-net#17077)

mssonicbld · web-flow · commit fbf30ec6a856 · 2023-11-03T04:31:18.000+08:00
diff --git a/build_debian.sh b/build_debian.sh
@@ -424,6 +424,10 @@ LogsDirectory=audit
 LogsDirectoryMode=0750
 EOF
 
+# latest tcpdump control resource access with AppArmor.
+# override tcpdump profile to allow tcpdump access TACACS config file.
+sudo cp files/apparmor/usr.bin.tcpdump $FILESYSTEM_ROOT/etc/apparmor.d/local/usr.bin.tcpdump
+
 if [[ $CONFIGURED_ARCH == amd64 ]]; then
 ## Pre-install the fundamental packages for amd64 (x86)
 sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install      \
diff --git a/files/apparmor/usr.bin.tcpdump b/files/apparmor/usr.bin.tcpdump
@@ -0,0 +1,2 @@
+# tcpdump will call getpwnam get current user information, the NSS plugin nss_tacplus hook this API and need access tacacs config file.
+/etc/tacplus_nss.conf r,

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+# tcpdump will call getpwnam get current user information, the NSS plugin nss_tacplus hook this API and need access tacacs config file.`
	`2`	`+/etc/tacplus_nss.conf r,`