[CentOS] Unable open raw socket in CentOS 5 - SE Linux and kernelcapability interaction?

Fri Mar 7 23:20:18 UTC 2008
S Roderick <kiwi.net at mac.com>

> The raw socket option in the kernel only allows privileged processes  
> to open them.
> Selinux controls which privileged processes have the right to.
> To allow an unprivileged process to access a raw socket you will  
> need to write a proxy daemon that runs privileged and is allowed in  
> selinux to create a raw socket. This daemon can then provide a unix  
> socket to unprivileged processes whose access can be granted with  
> it's security modes and ownership either manually or through udev.
I thought that both the kernel capability approach and SE Linux were  
designed to do just this: allow a typically "unpriviledged" process  
access to a restricted subset of capabilities that normally require  
rootpriviledge. Is this not correct?

In your last paragraph above, when you say "unprivileged process" do  
you mean a standard unix process (ie an "unconfined_t" process in  
CentOS SE Linux) or do you mean any non-root process? My understanding  
was (and please correct me if I'm wrong), is that I can take a known  
process (eg many online examples use 'ping') and provide it with  
additional priviledges (eg raw socket access) that a non-root (in that  
sense, unprivileged) process normally wouldn't have.
> ----- Original Message -----
> From: centos-bounces at centos.org <centos-bounces at centos.org>
> To: CentOS mailing list <centos at centos.org>
> Sent: Fri Mar 07 17:44:15 2008
> Subject: Re: [CentOS] Unable open raw socket in CentOS 5 - SE Linux  
> and kernelcapability interaction?
> What are your current SELinux settings??
> cat /etc/selinux/config

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#	enforcing - SELinux security policy is enforced.
#	permissive - SELinux prints warnings instead of enforcing.
#	disabled - SELinux is fully disabled.
# SELINUXTYPE= type of policy in use. Possible values are:
#	targeted - Only targeted network daemons are protected.
#	strict - Full SELinux protection.

# SETLOCALDEFS= Check local definition changes

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.centos.org/pipermail/centos/attachments/20080307/79d97a67/attachment-0005.html>