I have read somewhere, where I can't remember, that 2.6 kernels only allow raw sockets to be opened by root. You may need to have a write a proxy daemon to provide access to the socket from unprivileged accounts. -Ross > -----Original Message----- > From: centos-bounces at centos.org > [mailto:centos-bounces at centos.org] On Behalf Of S Roderick > Sent: Friday, March 07, 2008 4:40 PM > To: CentOS mailing list > Subject: Re: [CentOS] Unable open raw socket in CentOS 5 - SE > Linux andkernelcapability interaction? > > It runs fine under root and with sudo. > S > > On Mar 7, 2008, at 15:33 , Ross S. W. Walker wrote: > > > > > Does it run as 'root'? > > > > -Ross > > > > > >> -----Original Message----- > >> From: centos-bounces at centos.org > >> [mailto:centos-bounces at centos.org] On Behalf Of S Roderick > >> Sent: Friday, March 07, 2008 3:28 PM > >> To: CentOS mailing list > >> Subject: Re: [CentOS] Unable open raw socket in CentOS 5 - SE > >> Linux and kernelcapability interaction? > >> > >> Does anyone have any idea on this one? Based on everything > >> we've tried > >> with kernel capabilities and SE Linux parameters, we're missing > >> something. Have tried everything we can find online. > >> > >> Thanks > >> Stephen > >> > >> On Mar 3, 2008, at 09:14 , S Roderick wrote: > >> > >>> I am wondering what is the interaction between SE Linux and the > >>> kernel "capabilities" in CentOS 5.1? I'm trying to open a > >> raw socket > >>> and keep getting permission denied errors. I've tried using > >> the lcap > >>> library to find that CAP_SETPCAP appears to be off in the kernel. > >>> For compliance reasons, I don't want to turn this on. I've also > >>> tried a hand-crafted SE Linux module policy. I have verified that > >>> the test program runs in the correct SE Linux domain and it > >>> generates no audit errors, but it still fails to open the > >> port with > >>> permission denied. > >>> > >>> It appears that SE Linux is not preventing the socket being > >> created > >>> (as evidenced by the lack of audit messages), so what am I > >> missing? > >>> Do I still need to modify capabilities within the program, even if > >>> I'm using an SE Linux policy? > >>> > >>> Thanks > >>> S > >>> > >>> Source file > >>> > >>> #include <stdio.h> > >>> #include <unistd.h> > >>> #include <errno.h> > >>> #include <string.h> > >>> #include <sys/socket.h> > >>> #include <sys/types.h> > >>> #include <sys/prctl.h> > >>> #include <netinet/in.h> > >>> > >>> int > >>> main(void) > >>> { > >>> int fd = socket(PF_INET, SOCK_RAW, IPPROTO_TCP); > >>> if (-1 == fd) > >>> { > >>> printf("Failed to open raw socket: %d=%s\n", errno, > >>> strerror(errno)); > >>> } > >>> else > >>> { > >>> printf("Socket opened successfully\n"); > >>> close(fd); > >>> } > >>> return 0; > >>> } > >>> > >>> > >>> SElinux .te file > >>> > >>> policy_module(rawsox,1.0.0) > >>> > >>> ######################################## > >>> # Declarations > >>> > >>> type rawsox_t; > >>> type rawsox_exec_t; > >>> domain_type(rawsox_t) > >>> domain_entry_file(rawsox_t, rawsox_exec_t) > >>> domain_auto_trans(unconfined_t,rawsox_exec_t,rawsox_t) > >>> > >>> ######################################## > >>> # Rawsox local policy > >>> > >>> # these two didn't help > >>> #corenet_raw_sendrecv_all_if( rawsox_t ); > >>> #corenet_raw_sendrecv_all_nodes( rawsox_t ); > >>> > >>> require { > >>> type lib_t; > >>> type ld_so_t; > >>> type ld_so_cache_t; > >>> type usr_t; > >>> type devpts_t; > >>> type rawsox_t; > >>> type etc_t; > >>> class lnk_file read; > >>> class dir search; > >>> class file { read getattr execute }; > >>> class chr_file { read write getattr }; > >>> class rawip_socket create; > >>> class capability net_raw; > >>> } > >>> > >>> #============= rawsox_t ============== > >>> allow rawsox_t devpts_t:chr_file { read write getattr }; > >>> allow rawsox_t etc_t:dir search; > >>> allow rawsox_t ld_so_cache_t:file { read getattr }; > >>> allow rawsox_t ld_so_t:file read; > >>> allow rawsox_t lib_t:dir search; > >>> allow rawsox_t lib_t:file { read getattr execute }; > >>> allow rawsox_t lib_t:lnk_file read; > >>> allow rawsox_t usr_t:dir search; > >>> > >>> allow rawsox_t self:capability { net_raw setuid }; > >>> allow rawsox_t self:rawip_socket { create ioctl read write bind > >>> getopt setopt }; > >>> allow rawsox_t self:unix_stream_socket { create_socket_perms }; > >>> > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos > ______________________________________________________________________ This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender and permanently delete the original and any copy or printout thereof. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3971 bytes Desc: not available URL: <http://lists.centos.org/pipermail/centos/attachments/20080307/a060367f/attachment-0005.bin>