[CentOS] Unable open raw socket in CentOS 5 - SE Linux andkernelcapability interaction?
Matt Hyclak
hyclak at math.ohiou.edu
Sat Mar 8 14:55:16 UTC 2008
On Sat, Mar 08, 2008 at 08:44:10AM -0500, S Roderick enlightened us:
> >>I was hoping that either via kernel capabilities or SE Linux that we
> >>could avoid this. Both seem to offer exactly the feature we want,
> >>opening raw sockets from unprivileged accounts. But it's really
> >>unclear from all the doc's online how these two interact. Best we
> >>could do was try all the examples and approaches we could find - none
> >>worked.
> >>
> >>I guess I can try trolling the kernel source ... ugh! ... to see if
> >>your recollection is correct. I certainly hope there is another
> >>option ...
> >>
> >>Thanks
> >>S
> >
> >I think Ross is right. At my last contract with IBM some years back,
> >we
> >were doing some raw socket stuff. ISTR that we had no problems because
> >we were real root applications. IIRC, docs specified root privileges.
>
>
> I completely agree with the fact that raw sockets require root
> privilege, that is the situation we're currently in and don't want to
> continue with. But am I then completely misunderstanding when I think
> that SE Linux can allow non-root access to certain "normally root
> only" capabilities, on a per process basis? Certainly all the ping-
> related SE Linux examples online all show precisely this: provide
> access to raw sockets for a non-root process.
>
ping is suid root, though.
Matt
--
Matt Hyclak
Department of Mathematics
Department of Social Work
Ohio University
(740) 593-1263
More information about the CentOS
mailing list