[CentOS] Unable open raw socket in CentOS 5 - SE Linux andkernelcapability interaction?

S Roderick kiwi.net at mac.com
Sun Mar 9 13:49:37 UTC 2008


>>>> I was hoping that either via kernel capabilities or SE Linux that  
>>>> we
>>>> could avoid this. Both seem to offer exactly the feature we want,
>>>> opening raw sockets from unprivileged accounts. But it's really
>>>> unclear from all the doc's online how these two interact. Best we
>>>> could do was try all the examples and approaches we could find -  
>>>> none
>>>> worked.
>>>>
>>>> I guess I can try trolling the kernel source ... ugh! ... to see if
>>>> your recollection is correct. I certainly hope there is another
>>>> option ...
>>>>
>>>> Thanks
>>>> S
>>>
>>> I think Ross is right. At my last contract with IBM some years back,
>>> we
>>> were doing some raw socket stuff. ISTR that we had no problems  
>>> because
>>> we were real root applications. IIRC, docs specified root  
>>> privileges.
>>
>>
>> I completely agree with the fact that raw sockets require root
>> privilege, that is the situation we're currently in and don't want to
>> continue with. But am I then completely misunderstanding when I think
>> that SE Linux can allow non-root access to certain "normally root
>> only" capabilities, on a per process basis? Certainly all the ping-
>> related SE Linux examples online all show precisely this: provide
>> access to raw sockets for a non-root process.
>>
>
> ping is suid root, though.

Agreed, ping normally is. But what the SE Linux examples are showing  
is that you can remove the potential security hole of having ping be  
suid root, and use a custom SE Linux module to allow it simply access  
to raw sockets. Then, comprimising ping gets you only raw socket  
access and not full root access. At least, this is my understanding ...

S




More information about the CentOS mailing list