[CentOS] Unable open raw socket in CentOS 5 - SE Linux andkernelcapability interaction?
S Roderick
kiwi.net at mac.com
Fri Mar 7 21:48:31 UTC 2008
I was hoping that either via kernel capabilities or SE Linux that we
could avoid this. Both seem to offer exactly the feature we want,
opening raw sockets from unprivileged accounts. But it's really
unclear from all the doc's online how these two interact. Best we
could do was try all the examples and approaches we could find - none
worked.
I guess I can try trolling the kernel source ... ugh! ... to see if
your recollection is correct. I certainly hope there is another
option ...
Thanks
S
On Mar 7, 2008, at 16:44 , Ross S. W. Walker wrote:
>
> I have read somewhere, where I can't remember, that 2.6
> kernels only allow raw sockets to be opened by root.
>
> You may need to have a write a proxy daemon to provide
> access to the socket from unprivileged accounts.
>
> -Ross
>
>
>> -----Original Message-----
>> From: centos-bounces at centos.org
>> [mailto:centos-bounces at centos.org] On Behalf Of S Roderick
>> Sent: Friday, March 07, 2008 4:40 PM
>> To: CentOS mailing list
>> Subject: Re: [CentOS] Unable open raw socket in CentOS 5 - SE
>> Linux andkernelcapability interaction?
>>
>> It runs fine under root and with sudo.
>> S
>>
>> On Mar 7, 2008, at 15:33 , Ross S. W. Walker wrote:
>>
>>>
>>> Does it run as 'root'?
>>>
>>> -Ross
>>>
>>>
>>>> -----Original Message-----
>>>> From: centos-bounces at centos.org
>>>> [mailto:centos-bounces at centos.org] On Behalf Of S Roderick
>>>> Sent: Friday, March 07, 2008 3:28 PM
>>>> To: CentOS mailing list
>>>> Subject: Re: [CentOS] Unable open raw socket in CentOS 5 - SE
>>>> Linux and kernelcapability interaction?
>>>>
>>>> Does anyone have any idea on this one? Based on everything
>>>> we've tried
>>>> with kernel capabilities and SE Linux parameters, we're missing
>>>> something. Have tried everything we can find online.
>>>>
>>>> Thanks
>>>> Stephen
>>>>
>>>> On Mar 3, 2008, at 09:14 , S Roderick wrote:
>>>>
>>>>> I am wondering what is the interaction between SE Linux and the
>>>>> kernel "capabilities" in CentOS 5.1? I'm trying to open a
>>>> raw socket
>>>>> and keep getting permission denied errors. I've tried using
>>>> the lcap
>>>>> library to find that CAP_SETPCAP appears to be off in the kernel.
>>>>> For compliance reasons, I don't want to turn this on. I've also
>>>>> tried a hand-crafted SE Linux module policy. I have verified that
>>>>> the test program runs in the correct SE Linux domain and it
>>>>> generates no audit errors, but it still fails to open the
>>>> port with
>>>>> permission denied.
>>>>>
>>>>> It appears that SE Linux is not preventing the socket being
>>>> created
>>>>> (as evidenced by the lack of audit messages), so what am I
>>>> missing?
>>>>> Do I still need to modify capabilities within the program, even if
>>>>> I'm using an SE Linux policy?
>>>>>
>>>>> Thanks
>>>>> S
>>>>>
>>>>> Source file
>>>>>
>>>>> #include <stdio.h>
>>>>> #include <unistd.h>
>>>>> #include <errno.h>
>>>>> #include <string.h>
>>>>> #include <sys/socket.h>
>>>>> #include <sys/types.h>
>>>>> #include <sys/prctl.h>
>>>>> #include <netinet/in.h>
>>>>>
>>>>> int
>>>>> main(void)
>>>>> {
>>>>> int fd = socket(PF_INET, SOCK_RAW, IPPROTO_TCP);
>>>>> if (-1 == fd)
>>>>> {
>>>>> printf("Failed to open raw socket: %d=%s\n", errno,
>>>>> strerror(errno));
>>>>> }
>>>>> else
>>>>> {
>>>>> printf("Socket opened successfully\n");
>>>>> close(fd);
>>>>> }
>>>>> return 0;
>>>>> }
>>>>>
>>>>>
>>>>> SElinux .te file
>>>>>
>>>>> policy_module(rawsox,1.0.0)
>>>>>
>>>>> ########################################
>>>>> # Declarations
>>>>>
>>>>> type rawsox_t;
>>>>> type rawsox_exec_t;
>>>>> domain_type(rawsox_t)
>>>>> domain_entry_file(rawsox_t, rawsox_exec_t)
>>>>> domain_auto_trans(unconfined_t,rawsox_exec_t,rawsox_t)
>>>>>
>>>>> ########################################
>>>>> # Rawsox local policy
>>>>>
>>>>> # these two didn't help
>>>>> #corenet_raw_sendrecv_all_if( rawsox_t );
>>>>> #corenet_raw_sendrecv_all_nodes( rawsox_t );
>>>>>
>>>>> require {
>>>>> type lib_t;
>>>>> type ld_so_t;
>>>>> type ld_so_cache_t;
>>>>> type usr_t;
>>>>> type devpts_t;
>>>>> type rawsox_t;
>>>>> type etc_t;
>>>>> class lnk_file read;
>>>>> class dir search;
>>>>> class file { read getattr execute };
>>>>> class chr_file { read write getattr };
>>>>> class rawip_socket create;
>>>>> class capability net_raw;
>>>>> }
>>>>>
>>>>> #============= rawsox_t ==============
>>>>> allow rawsox_t devpts_t:chr_file { read write getattr };
>>>>> allow rawsox_t etc_t:dir search;
>>>>> allow rawsox_t ld_so_cache_t:file { read getattr };
>>>>> allow rawsox_t ld_so_t:file read;
>>>>> allow rawsox_t lib_t:dir search;
>>>>> allow rawsox_t lib_t:file { read getattr execute };
>>>>> allow rawsox_t lib_t:lnk_file read;
>>>>> allow rawsox_t usr_t:dir search;
>>>>>
>>>>> allow rawsox_t self:capability { net_raw setuid };
>>>>> allow rawsox_t self:rawip_socket { create ioctl read write bind
>>>>> getopt setopt };
>>>>> allow rawsox_t self:unix_stream_socket { create_socket_perms };
>>>>>
>> _______________________________________________
>> CentOS mailing list
>> CentOS at centos.org
>> http://lists.centos.org/mailman/listinfo/centos
>>
>
> ______________________________________________________________________
> This e-mail, and any attachments thereto, is intended only for use by
> the addressee(s) named herein and may contain legally privileged
> and/or confidential information. If you are not the intended recipient
> of this e-mail, you are hereby notified that any dissemination,
> distribution or copying of this e-mail, and any attachments thereto,
> is strictly prohibited. If you have received this e-mail in error,
> please immediately notify the sender and permanently delete the
> original and any copy or printout thereof.
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
More information about the CentOS
mailing list