The raw socket option in the kernel only allows privileged processes to open them. Selinux controls which privileged processes have the right to. To allow an unprivileged process to access a raw socket you will need to write a proxy daemon that runs privileged and is allowed in selinux to create a raw socket. This daemon can then provide a unix socket to unprivileged processes whose access can be granted with it's security modes and ownership either manually or through udev. -Ross ----- Original Message ----- From: centos-bounces at centos.org <centos-bounces at centos.org> To: CentOS mailing list <centos at centos.org> Sent: Fri Mar 07 17:44:15 2008 Subject: Re: [CentOS] Unable open raw socket in CentOS 5 - SE Linux and kernelcapability interaction? What are your current SELinux settings?? cat /etc/selinux/config S Roderick wrote: > Does anyone have any idea on this one? Based on everything we've tried > with kernel capabilities and SE Linux parameters, we're missing > something. Have tried everything we can find online. > > Thanks > Stephen > > On Mar 3, 2008, at 09:14 , S Roderick wrote: > >> I am wondering what is the interaction between SE Linux and the >> kernel "capabilities" in CentOS 5.1? I'm trying to open a raw socket >> and keep getting permission denied errors. I've tried using the lcap >> library to find that CAP_SETPCAP appears to be off in the kernel. For >> compliance reasons, I don't want to turn this on. I've also tried a >> hand-crafted SE Linux module policy. I have verified that the test >> program runs in the correct SE Linux domain and it generates no audit >> errors, but it still fails to open the port with permission denied. >> >> It appears that SE Linux is not preventing the socket being created >> (as evidenced by the lack of audit messages), so what am I missing? >> Do I still need to modify capabilities within the program, even if >> I'm using an SE Linux policy? >> >> Thanks >> S >> >> Source file >> >> #include <stdio.h> >> #include <unistd.h> >> #include <errno.h> >> #include <string.h> >> #include <sys/socket.h> >> #include <sys/types.h> >> #include <sys/prctl.h> >> #include <netinet/in.h> >> >> int >> main(void) >> { >> int fd = socket(PF_INET, SOCK_RAW, IPPROTO_TCP); >> if (-1 == fd) >> { >> printf("Failed to open raw socket: %d=%s\n", errno, >> strerror(errno)); >> } >> else >> { >> printf("Socket opened successfully\n"); >> close(fd); >> } >> return 0; >> } >> >> >> SElinux .te file >> >> policy_module(rawsox,1.0.0) >> >> ######################################## >> # Declarations >> >> type rawsox_t; >> type rawsox_exec_t; >> domain_type(rawsox_t) >> domain_entry_file(rawsox_t, rawsox_exec_t) >> domain_auto_trans(unconfined_t,rawsox_exec_t,rawsox_t) >> >> ######################################## >> # Rawsox local policy >> >> # these two didn't help >> #corenet_raw_sendrecv_all_if( rawsox_t ); >> #corenet_raw_sendrecv_all_nodes( rawsox_t ); >> >> require { >> type lib_t; >> type ld_so_t; >> type ld_so_cache_t; >> type usr_t; >> type devpts_t; >> type rawsox_t; >> type etc_t; >> class lnk_file read; >> class dir search; >> class file { read getattr execute }; >> class chr_file { read write getattr }; >> class rawip_socket create; >> class capability net_raw; >> } >> >> #============= rawsox_t ============== >> allow rawsox_t devpts_t:chr_file { read write getattr }; >> allow rawsox_t etc_t:dir search; >> allow rawsox_t ld_so_cache_t:file { read getattr }; >> allow rawsox_t ld_so_t:file read; >> allow rawsox_t lib_t:dir search; >> allow rawsox_t lib_t:file { read getattr execute }; >> allow rawsox_t lib_t:lnk_file read; >> allow rawsox_t usr_t:dir search; >> >> allow rawsox_t self:capability { net_raw setuid }; >> allow rawsox_t self:rawip_socket { create ioctl read write bind >> getopt setopt }; >> allow rawsox_t self:unix_stream_socket { create_socket_perms }; >> > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos _______________________________________________ CentOS mailing list CentOS at centos.org http://lists.centos.org/mailman/listinfo/centos ______________________________________________________________________ This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender and permanently delete the original and any copy or printout thereof. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos/attachments/20080307/9de1cb69/attachment-0005.html>