The raw socket option in the kernel only allows privileged processes to open them.
Selinux controls which privileged processes have the right to.
To allow an unprivileged process to access a raw socket you will need to write a proxy daemon that runs privileged and is allowed in selinux to create a raw socket. This daemon can then provide a unix socket to unprivileged processes whose access can be granted with it's security modes and ownership either manually or through udev.
I thought that both the kernel capability approach and SE Linux were designed to do just this: allow a typically "unpriviledged" process access to a restricted subset of capabilities that normally require rootpriviledge. Is this not correct?
In your last paragraph above, when you say "unprivileged process" do you mean a standard unix process (ie an "unconfined_t" process in CentOS SE Linux) or do you mean any non-root process? My understanding was (and please correct me if I'm wrong), is that I can take a known process (eg many online examples use 'ping') and provide it with additional priviledges (eg raw socket access) that a non-root (in that sense, unprivileged) process normally wouldn't have.
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - SELinux is fully disabled.
SELINUX=permissive
# SELINUXTYPE= type of policy in use. Possible values are:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
SELINUXTYPE=targeted
# SETLOCALDEFS= Check local definition changes
SETLOCALDEFS=0