[CentOS] Unable open raw socket in CentOS 5 - SE Linux and kernel capability interaction?

Mon Mar 3 14:14:11 UTC 2008
S Roderick <kiwi.net at mac.com>

I am wondering what is the interaction between SE Linux and the kernel  
"capabilities" in CentOS 5.1? I'm trying to open a raw socket and keep  
getting permission denied errors. I've tried using the lcap library to  
find that CAP_SETPCAP appears to be off in the kernel. For compliance  
reasons, I don't want to turn this on. I've also tried a hand-crafted  
SE Linux module policy. I have verified that the test program runs in  
the correct SE Linux domain and it generates no audit errors, but it  
still fails to open the port with permission denied.

It appears that SE Linux is not preventing the socket being created  
(as evidenced by the lack of audit messages), so what am I missing? Do  
I still need to modify capabilities within the program, even if I'm  
using an SE Linux policy?

Thanks
S

Source file

#include <stdio.h>
#include <unistd.h>
#include <errno.h>
#include <string.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/prctl.h>
#include <netinet/in.h>

int
main(void)
{
	int fd = socket(PF_INET, SOCK_RAW, IPPROTO_TCP);
	if (-1 == fd)
	{
		printf("Failed to open raw socket: %d=%s\n", errno, strerror(errno));
	}
	else
	{
		printf("Socket opened successfully\n");
		close(fd);
	}
	return 0;
}


SElinux .te file

policy_module(rawsox,1.0.0)

########################################
# Declarations

type rawsox_t;
type rawsox_exec_t;
domain_type(rawsox_t)
domain_entry_file(rawsox_t, rawsox_exec_t)
domain_auto_trans(unconfined_t,rawsox_exec_t,rawsox_t)

########################################
# Rawsox local policy

# these two didn't help
#corenet_raw_sendrecv_all_if( rawsox_t );
#corenet_raw_sendrecv_all_nodes( rawsox_t );

require {
        type lib_t;
        type ld_so_t;
        type ld_so_cache_t;
        type usr_t;
        type devpts_t;
        type rawsox_t;
        type etc_t;
        class lnk_file read;
        class dir search;
        class file { read getattr execute };
        class chr_file { read write getattr };
        class rawip_socket create;
	class capability net_raw;
}

#============= rawsox_t ==============
allow rawsox_t devpts_t:chr_file { read write getattr };
allow rawsox_t etc_t:dir search;
allow rawsox_t ld_so_cache_t:file { read getattr };
allow rawsox_t ld_so_t:file read;
allow rawsox_t lib_t:dir search;
allow rawsox_t lib_t:file { read getattr execute };
allow rawsox_t lib_t:lnk_file read;
allow rawsox_t usr_t:dir search;

allow rawsox_t self:capability { net_raw setuid };
allow rawsox_t self:rawip_socket { create ioctl read write bind getopt  
setopt };
allow rawsox_t self:unix_stream_socket { create_socket_perms };