The raw socket option in the kernel only allows privileged processes to open them.
Selinux controls which privileged processes have the right to.
To allow an unprivileged process to access a raw socket you will need to write a proxy daemon that runs privileged and is allowed in selinux to create a raw socket. This daemon can then provide a unix socket to unprivileged processes whose access can be granted with it's security modes and ownership either manually or through udev.
I thought that both the kernel capability approach and SE Linux were designed to do just this: allow a typically "unpriviledged" process access to a restricted subset of capabilities that normally require rootpriviledge. Is this not correct?
In your last paragraph above, when you say "unprivileged process" do you mean a standard unix process (ie an "unconfined_t" process in CentOS SE Linux) or do you mean any non-root process? My understanding was (and please correct me if I'm wrong), is that I can take a known process (eg many online examples use 'ping') and provide it with additional priviledges (eg raw socket access) that a non-root (in that sense, unprivileged) process normally wouldn't have.
----- Original Message ----- From: centos-bounces@centos.org centos-bounces@centos.org To: CentOS mailing list centos@centos.org Sent: Fri Mar 07 17:44:15 2008 Subject: Re: [CentOS] Unable open raw socket in CentOS 5 - SE Linux and kernelcapability interaction?
What are your current SELinux settings??
cat /etc/selinux/config
# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - SELinux is fully disabled. SELINUX=permissive # SELINUXTYPE= type of policy in use. Possible values are: # targeted - Only targeted network daemons are protected. # strict - Full SELinux protection. SELINUXTYPE=targeted
# SETLOCALDEFS= Check local definition changes SETLOCALDEFS=0