It runs fine under root and with sudo. S On Mar 7, 2008, at 15:33 , Ross S. W. Walker wrote: > > Does it run as 'root'? > > -Ross > > >> -----Original Message----- >> From: centos-bounces at centos.org >> [mailto:centos-bounces at centos.org] On Behalf Of S Roderick >> Sent: Friday, March 07, 2008 3:28 PM >> To: CentOS mailing list >> Subject: Re: [CentOS] Unable open raw socket in CentOS 5 - SE >> Linux and kernelcapability interaction? >> >> Does anyone have any idea on this one? Based on everything >> we've tried >> with kernel capabilities and SE Linux parameters, we're missing >> something. Have tried everything we can find online. >> >> Thanks >> Stephen >> >> On Mar 3, 2008, at 09:14 , S Roderick wrote: >> >>> I am wondering what is the interaction between SE Linux and the >>> kernel "capabilities" in CentOS 5.1? I'm trying to open a >> raw socket >>> and keep getting permission denied errors. I've tried using >> the lcap >>> library to find that CAP_SETPCAP appears to be off in the kernel. >>> For compliance reasons, I don't want to turn this on. I've also >>> tried a hand-crafted SE Linux module policy. I have verified that >>> the test program runs in the correct SE Linux domain and it >>> generates no audit errors, but it still fails to open the >> port with >>> permission denied. >>> >>> It appears that SE Linux is not preventing the socket being >> created >>> (as evidenced by the lack of audit messages), so what am I >> missing? >>> Do I still need to modify capabilities within the program, even if >>> I'm using an SE Linux policy? >>> >>> Thanks >>> S >>> >>> Source file >>> >>> #include <stdio.h> >>> #include <unistd.h> >>> #include <errno.h> >>> #include <string.h> >>> #include <sys/socket.h> >>> #include <sys/types.h> >>> #include <sys/prctl.h> >>> #include <netinet/in.h> >>> >>> int >>> main(void) >>> { >>> int fd = socket(PF_INET, SOCK_RAW, IPPROTO_TCP); >>> if (-1 == fd) >>> { >>> printf("Failed to open raw socket: %d=%s\n", errno, >>> strerror(errno)); >>> } >>> else >>> { >>> printf("Socket opened successfully\n"); >>> close(fd); >>> } >>> return 0; >>> } >>> >>> >>> SElinux .te file >>> >>> policy_module(rawsox,1.0.0) >>> >>> ######################################## >>> # Declarations >>> >>> type rawsox_t; >>> type rawsox_exec_t; >>> domain_type(rawsox_t) >>> domain_entry_file(rawsox_t, rawsox_exec_t) >>> domain_auto_trans(unconfined_t,rawsox_exec_t,rawsox_t) >>> >>> ######################################## >>> # Rawsox local policy >>> >>> # these two didn't help >>> #corenet_raw_sendrecv_all_if( rawsox_t ); >>> #corenet_raw_sendrecv_all_nodes( rawsox_t ); >>> >>> require { >>> type lib_t; >>> type ld_so_t; >>> type ld_so_cache_t; >>> type usr_t; >>> type devpts_t; >>> type rawsox_t; >>> type etc_t; >>> class lnk_file read; >>> class dir search; >>> class file { read getattr execute }; >>> class chr_file { read write getattr }; >>> class rawip_socket create; >>> class capability net_raw; >>> } >>> >>> #============= rawsox_t ============== >>> allow rawsox_t devpts_t:chr_file { read write getattr }; >>> allow rawsox_t etc_t:dir search; >>> allow rawsox_t ld_so_cache_t:file { read getattr }; >>> allow rawsox_t ld_so_t:file read; >>> allow rawsox_t lib_t:dir search; >>> allow rawsox_t lib_t:file { read getattr execute }; >>> allow rawsox_t lib_t:lnk_file read; >>> allow rawsox_t usr_t:dir search; >>> >>> allow rawsox_t self:capability { net_raw setuid }; >>> allow rawsox_t self:rawip_socket { create ioctl read write bind >>> getopt setopt }; >>> allow rawsox_t self:unix_stream_socket { create_socket_perms }; >>>