On Sat, Mar 08, 2008 at 08:44:10AM -0500, S Roderick enlightened us: > >>I was hoping that either via kernel capabilities or SE Linux that we > >>could avoid this. Both seem to offer exactly the feature we want, > >>opening raw sockets from unprivileged accounts. But it's really > >>unclear from all the doc's online how these two interact. Best we > >>could do was try all the examples and approaches we could find - none > >>worked. > >> > >>I guess I can try trolling the kernel source ... ugh! ... to see if > >>your recollection is correct. I certainly hope there is another > >>option ... > >> > >>Thanks > >>S > > > >I think Ross is right. At my last contract with IBM some years back, > >we > >were doing some raw socket stuff. ISTR that we had no problems because > >we were real root applications. IIRC, docs specified root privileges. > > > I completely agree with the fact that raw sockets require root > privilege, that is the situation we're currently in and don't want to > continue with. But am I then completely misunderstanding when I think > that SE Linux can allow non-root access to certain "normally root > only" capabilities, on a per process basis? Certainly all the ping- > related SE Linux examples online all show precisely this: provide > access to raw sockets for a non-root process. > ping is suid root, though. Matt -- Matt Hyclak Department of Mathematics Department of Social Work Ohio University (740) 593-1263