[CentOS] Unable open raw socket in CentOS 5 - SE Linux andkernelcapability interaction?

Fri Mar 7 21:44:04 UTC 2008
Ross S. W. Walker <rwalker at medallion.com>

I have read somewhere, where I can't remember, that 2.6
kernels only allow raw sockets to be opened by root.

You may need to have a write a proxy daemon to provide
access to the socket from unprivileged accounts.

-Ross
 

> -----Original Message-----
> From: centos-bounces at centos.org 
> [mailto:centos-bounces at centos.org] On Behalf Of S Roderick
> Sent: Friday, March 07, 2008 4:40 PM
> To: CentOS mailing list
> Subject: Re: [CentOS] Unable open raw socket in CentOS 5 - SE 
> Linux andkernelcapability interaction?
> 
> It runs fine under root and with sudo.
> S
> 
> On Mar 7, 2008, at 15:33 , Ross S. W. Walker wrote:
> 
> >
> > Does it run as 'root'?
> >
> > -Ross
> >
> >
> >> -----Original Message-----
> >> From: centos-bounces at centos.org
> >> [mailto:centos-bounces at centos.org] On Behalf Of S Roderick
> >> Sent: Friday, March 07, 2008 3:28 PM
> >> To: CentOS mailing list
> >> Subject: Re: [CentOS] Unable open raw socket in CentOS 5 - SE
> >> Linux and kernelcapability interaction?
> >>
> >> Does anyone have any idea on this one? Based on everything
> >> we've tried
> >> with kernel capabilities and SE Linux parameters, we're missing
> >> something. Have tried everything we can find online.
> >>
> >> Thanks
> >> Stephen
> >>
> >> On Mar 3, 2008, at 09:14 , S Roderick wrote:
> >>
> >>> I am wondering what is the interaction between SE Linux and the
> >>> kernel "capabilities" in CentOS 5.1? I'm trying to open a
> >> raw socket
> >>> and keep getting permission denied errors. I've tried using
> >> the lcap
> >>> library to find that CAP_SETPCAP appears to be off in the kernel.
> >>> For compliance reasons, I don't want to turn this on. I've also
> >>> tried a hand-crafted SE Linux module policy. I have verified that
> >>> the test program runs in the correct SE Linux domain and it
> >>> generates no audit errors, but it still fails to open the
> >> port with
> >>> permission denied.
> >>>
> >>> It appears that SE Linux is not preventing the socket being
> >> created
> >>> (as evidenced by the lack of audit messages), so what am I
> >> missing?
> >>> Do I still need to modify capabilities within the program, even if
> >>> I'm using an SE Linux policy?
> >>>
> >>> Thanks
> >>> S
> >>>
> >>> Source file
> >>>
> >>> #include <stdio.h>
> >>> #include <unistd.h>
> >>> #include <errno.h>
> >>> #include <string.h>
> >>> #include <sys/socket.h>
> >>> #include <sys/types.h>
> >>> #include <sys/prctl.h>
> >>> #include <netinet/in.h>
> >>>
> >>> int
> >>> main(void)
> >>> {
> >>> 	int fd = socket(PF_INET, SOCK_RAW, IPPROTO_TCP);
> >>> 	if (-1 == fd)
> >>> 	{
> >>> 		printf("Failed to open raw socket: %d=%s\n", errno,
> >>> strerror(errno));
> >>> 	}
> >>> 	else
> >>> 	{
> >>> 		printf("Socket opened successfully\n");
> >>> 		close(fd);
> >>> 	}
> >>> 	return 0;
> >>> }
> >>>
> >>>
> >>> SElinux .te file
> >>>
> >>> policy_module(rawsox,1.0.0)
> >>>
> >>> ########################################
> >>> # Declarations
> >>>
> >>> type rawsox_t;
> >>> type rawsox_exec_t;
> >>> domain_type(rawsox_t)
> >>> domain_entry_file(rawsox_t, rawsox_exec_t)
> >>> domain_auto_trans(unconfined_t,rawsox_exec_t,rawsox_t)
> >>>
> >>> ########################################
> >>> # Rawsox local policy
> >>>
> >>> # these two didn't help
> >>> #corenet_raw_sendrecv_all_if( rawsox_t );
> >>> #corenet_raw_sendrecv_all_nodes( rawsox_t );
> >>>
> >>> require {
> >>>      type lib_t;
> >>>      type ld_so_t;
> >>>      type ld_so_cache_t;
> >>>      type usr_t;
> >>>      type devpts_t;
> >>>      type rawsox_t;
> >>>      type etc_t;
> >>>      class lnk_file read;
> >>>      class dir search;
> >>>      class file { read getattr execute };
> >>>      class chr_file { read write getattr };
> >>>      class rawip_socket create;
> >>> 	class capability net_raw;
> >>> }
> >>>
> >>> #============= rawsox_t ==============
> >>> allow rawsox_t devpts_t:chr_file { read write getattr };
> >>> allow rawsox_t etc_t:dir search;
> >>> allow rawsox_t ld_so_cache_t:file { read getattr };
> >>> allow rawsox_t ld_so_t:file read;
> >>> allow rawsox_t lib_t:dir search;
> >>> allow rawsox_t lib_t:file { read getattr execute };
> >>> allow rawsox_t lib_t:lnk_file read;
> >>> allow rawsox_t usr_t:dir search;
> >>>
> >>> allow rawsox_t self:capability { net_raw setuid };
> >>> allow rawsox_t self:rawip_socket { create ioctl read write bind
> >>> getopt setopt };
> >>> allow rawsox_t self:unix_stream_socket { create_socket_perms };
> >>>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
> 

______________________________________________________________________
This e-mail, and any attachments thereto, is intended only for use by
the addressee(s) named herein and may contain legally privileged
and/or confidential information. If you are not the intended recipient
of this e-mail, you are hereby notified that any dissemination,
distribution or copying of this e-mail, and any attachments thereto,
is strictly prohibited. If you have received this e-mail in error,
please immediately notify the sender and permanently delete the
original and any copy or printout thereof.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3971 bytes
Desc: not available
URL: <http://lists.centos.org/pipermail/centos/attachments/20080307/a060367f/attachment-0005.bin>