>> >> I was hoping that either via kernel capabilities or SE Linux that we >> could avoid this. Both seem to offer exactly the feature we want, >> opening raw sockets from unprivileged accounts. But it's really >> unclear from all the doc's online how these two interact. Best we >> could do was try all the examples and approaches we could find - none >> worked. >> >> I guess I can try trolling the kernel source ... ugh! ... to see if >> your recollection is correct. I certainly hope there is another >> option ... >> >> Thanks >> S > > I think Ross is right. At my last contract with IBM some years back, > we > were doing some raw socket stuff. ISTR that we had no problems because > we were real root applications. IIRC, docs specified root privileges. I completely agree with the fact that raw sockets require root privilege, that is the situation we're currently in and don't want to continue with. But am I then completely misunderstanding when I think that SE Linux can allow non-root access to certain "normally root only" capabilities, on a per process basis? Certainly all the ping- related SE Linux examples online all show precisely this: provide access to raw sockets for a non-root process. S -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos/attachments/20080308/78bf2719/attachment-0005.html>