[CentOS] Unable open raw socket in CentOS 5 - SE Linux and kernelcapability interaction?

Fri Mar 7 22:59:04 UTC 2008
Ross S. W. Walker <rwalker at medallion.com>

The raw socket option in the kernel only allows privileged processes to open them.

Selinux controls which privileged processes have the right to.

To allow an unprivileged process to access a raw socket you will need to write a proxy daemon that runs privileged and is allowed in selinux to create a raw socket. This daemon can then provide a unix socket to unprivileged processes whose access can be granted with it's security modes and ownership either manually or through udev.

-Ross


----- Original Message -----
From: centos-bounces at centos.org <centos-bounces at centos.org>
To: CentOS mailing list <centos at centos.org>
Sent: Fri Mar 07 17:44:15 2008
Subject: Re: [CentOS] Unable open raw socket in CentOS 5 - SE Linux and kernelcapability interaction?

What are your current SELinux settings??

cat /etc/selinux/config

S Roderick wrote:
> Does anyone have any idea on this one? Based on everything we've tried 
> with kernel capabilities and SE Linux parameters, we're missing 
> something. Have tried everything we can find online.
>
> Thanks
> Stephen
>
> On Mar 3, 2008, at 09:14 , S Roderick wrote:
>
>> I am wondering what is the interaction between SE Linux and the 
>> kernel "capabilities" in CentOS 5.1? I'm trying to open a raw socket 
>> and keep getting permission denied errors. I've tried using the lcap 
>> library to find that CAP_SETPCAP appears to be off in the kernel. For 
>> compliance reasons, I don't want to turn this on. I've also tried a 
>> hand-crafted SE Linux module policy. I have verified that the test 
>> program runs in the correct SE Linux domain and it generates no audit 
>> errors, but it still fails to open the port with permission denied.
>>
>> It appears that SE Linux is not preventing the socket being created 
>> (as evidenced by the lack of audit messages), so what am I missing? 
>> Do I still need to modify capabilities within the program, even if 
>> I'm using an SE Linux policy?
>>
>> Thanks
>> S
>>
>> Source file
>>
>> #include <stdio.h>
>> #include <unistd.h>
>> #include <errno.h>
>> #include <string.h>
>> #include <sys/socket.h>
>> #include <sys/types.h>
>> #include <sys/prctl.h>
>> #include <netinet/in.h>
>>
>> int
>> main(void)
>> {
>>     int fd = socket(PF_INET, SOCK_RAW, IPPROTO_TCP);
>>     if (-1 == fd)
>>     {
>>         printf("Failed to open raw socket: %d=%s\n", errno, 
>> strerror(errno));
>>     }
>>     else
>>     {
>>         printf("Socket opened successfully\n");
>>         close(fd);
>>     }
>>     return 0;
>> }
>>
>>
>> SElinux .te file
>>
>> policy_module(rawsox,1.0.0)
>>
>> ########################################
>> # Declarations
>>
>> type rawsox_t;
>> type rawsox_exec_t;
>> domain_type(rawsox_t)
>> domain_entry_file(rawsox_t, rawsox_exec_t)
>> domain_auto_trans(unconfined_t,rawsox_exec_t,rawsox_t)
>>
>> ########################################
>> # Rawsox local policy
>>
>> # these two didn't help
>> #corenet_raw_sendrecv_all_if( rawsox_t );
>> #corenet_raw_sendrecv_all_nodes( rawsox_t );
>>
>> require {
>>       type lib_t;
>>       type ld_so_t;
>>       type ld_so_cache_t;
>>       type usr_t;
>>       type devpts_t;
>>       type rawsox_t;
>>       type etc_t;
>>       class lnk_file read;
>>       class dir search;
>>       class file { read getattr execute };
>>       class chr_file { read write getattr };
>>       class rawip_socket create;
>>     class capability net_raw;
>> }
>>
>> #============= rawsox_t ==============
>> allow rawsox_t devpts_t:chr_file { read write getattr };
>> allow rawsox_t etc_t:dir search;
>> allow rawsox_t ld_so_cache_t:file { read getattr };
>> allow rawsox_t ld_so_t:file read;
>> allow rawsox_t lib_t:dir search;
>> allow rawsox_t lib_t:file { read getattr execute };
>> allow rawsox_t lib_t:lnk_file read;
>> allow rawsox_t usr_t:dir search;
>>
>> allow rawsox_t self:capability { net_raw setuid };
>> allow rawsox_t self:rawip_socket { create ioctl read write bind 
>> getopt setopt };
>> allow rawsox_t self:unix_stream_socket { create_socket_perms };
>>
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
_______________________________________________
CentOS mailing list
CentOS at centos.org
http://lists.centos.org/mailman/listinfo/centos

______________________________________________________________________
This e-mail, and any attachments thereto, is intended only for use by
the addressee(s) named herein and may contain legally privileged
and/or confidential information. If you are not the intended recipient
of this e-mail, you are hereby notified that any dissemination,
distribution or copying of this e-mail, and any attachments thereto,
is strictly prohibited. If you have received this e-mail in error,
please immediately notify the sender and permanently delete the
original and any copy or printout thereof.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.centos.org/pipermail/centos/attachments/20080307/9de1cb69/attachment-0005.html>