[CentOS] Unable open raw socket in CentOS 5 - SE Linux andkernelcapability interaction?

Sat Mar 8 13:44:10 UTC 2008
S Roderick <kiwi.net at mac.com>

>>
>> I was hoping that either via kernel capabilities or SE Linux that we
>> could avoid this. Both seem to offer exactly the feature we want,
>> opening raw sockets from unprivileged accounts. But it's really
>> unclear from all the doc's online how these two interact. Best we
>> could do was try all the examples and approaches we could find - none
>> worked.
>>
>> I guess I can try trolling the kernel source ... ugh! ... to see if
>> your recollection is correct. I certainly hope there is another
>> option ...
>>
>> Thanks
>> S
>
> I think Ross is right. At my last contract with IBM some years back,  
> we
> were doing some raw socket stuff. ISTR that we had no problems because
> we were real root applications. IIRC, docs specified root privileges.


I completely agree with the fact that raw sockets require root  
privilege, that is the situation we're currently in and don't want to  
continue with. But am I then completely misunderstanding when I think  
that SE Linux can allow non-root access to certain "normally root  
only" capabilities, on a per process basis? Certainly all the ping- 
related SE Linux examples online all show precisely this: provide  
access to raw sockets for a non-root process.

S
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.centos.org/pipermail/centos/attachments/20080308/78bf2719/attachment-0005.html>