[CentOS] Unable open raw socket in CentOS 5 - SE Linux and kernelcapability interaction?

Fri Mar 7 21:39:38 UTC 2008
S Roderick <kiwi.net at mac.com>

It runs fine under root and with sudo.
S

On Mar 7, 2008, at 15:33 , Ross S. W. Walker wrote:

>
> Does it run as 'root'?
>
> -Ross
>
>
>> -----Original Message-----
>> From: centos-bounces at centos.org
>> [mailto:centos-bounces at centos.org] On Behalf Of S Roderick
>> Sent: Friday, March 07, 2008 3:28 PM
>> To: CentOS mailing list
>> Subject: Re: [CentOS] Unable open raw socket in CentOS 5 - SE
>> Linux and kernelcapability interaction?
>>
>> Does anyone have any idea on this one? Based on everything
>> we've tried
>> with kernel capabilities and SE Linux parameters, we're missing
>> something. Have tried everything we can find online.
>>
>> Thanks
>> Stephen
>>
>> On Mar 3, 2008, at 09:14 , S Roderick wrote:
>>
>>> I am wondering what is the interaction between SE Linux and the
>>> kernel "capabilities" in CentOS 5.1? I'm trying to open a
>> raw socket
>>> and keep getting permission denied errors. I've tried using
>> the lcap
>>> library to find that CAP_SETPCAP appears to be off in the kernel.
>>> For compliance reasons, I don't want to turn this on. I've also
>>> tried a hand-crafted SE Linux module policy. I have verified that
>>> the test program runs in the correct SE Linux domain and it
>>> generates no audit errors, but it still fails to open the
>> port with
>>> permission denied.
>>>
>>> It appears that SE Linux is not preventing the socket being
>> created
>>> (as evidenced by the lack of audit messages), so what am I
>> missing?
>>> Do I still need to modify capabilities within the program, even if
>>> I'm using an SE Linux policy?
>>>
>>> Thanks
>>> S
>>>
>>> Source file
>>>
>>> #include <stdio.h>
>>> #include <unistd.h>
>>> #include <errno.h>
>>> #include <string.h>
>>> #include <sys/socket.h>
>>> #include <sys/types.h>
>>> #include <sys/prctl.h>
>>> #include <netinet/in.h>
>>>
>>> int
>>> main(void)
>>> {
>>> 	int fd = socket(PF_INET, SOCK_RAW, IPPROTO_TCP);
>>> 	if (-1 == fd)
>>> 	{
>>> 		printf("Failed to open raw socket: %d=%s\n", errno,
>>> strerror(errno));
>>> 	}
>>> 	else
>>> 	{
>>> 		printf("Socket opened successfully\n");
>>> 		close(fd);
>>> 	}
>>> 	return 0;
>>> }
>>>
>>>
>>> SElinux .te file
>>>
>>> policy_module(rawsox,1.0.0)
>>>
>>> ########################################
>>> # Declarations
>>>
>>> type rawsox_t;
>>> type rawsox_exec_t;
>>> domain_type(rawsox_t)
>>> domain_entry_file(rawsox_t, rawsox_exec_t)
>>> domain_auto_trans(unconfined_t,rawsox_exec_t,rawsox_t)
>>>
>>> ########################################
>>> # Rawsox local policy
>>>
>>> # these two didn't help
>>> #corenet_raw_sendrecv_all_if( rawsox_t );
>>> #corenet_raw_sendrecv_all_nodes( rawsox_t );
>>>
>>> require {
>>>      type lib_t;
>>>      type ld_so_t;
>>>      type ld_so_cache_t;
>>>      type usr_t;
>>>      type devpts_t;
>>>      type rawsox_t;
>>>      type etc_t;
>>>      class lnk_file read;
>>>      class dir search;
>>>      class file { read getattr execute };
>>>      class chr_file { read write getattr };
>>>      class rawip_socket create;
>>> 	class capability net_raw;
>>> }
>>>
>>> #============= rawsox_t ==============
>>> allow rawsox_t devpts_t:chr_file { read write getattr };
>>> allow rawsox_t etc_t:dir search;
>>> allow rawsox_t ld_so_cache_t:file { read getattr };
>>> allow rawsox_t ld_so_t:file read;
>>> allow rawsox_t lib_t:dir search;
>>> allow rawsox_t lib_t:file { read getattr execute };
>>> allow rawsox_t lib_t:lnk_file read;
>>> allow rawsox_t usr_t:dir search;
>>>
>>> allow rawsox_t self:capability { net_raw setuid };
>>> allow rawsox_t self:rawip_socket { create ioctl read write bind
>>> getopt setopt };
>>> allow rawsox_t self:unix_stream_socket { create_socket_perms };
>>>