[CentOS] Unable open raw socket in CentOS 5 - SE Linux andkernelcapability interaction?

Sat Mar 8 14:55:16 UTC 2008
Matt Hyclak <hyclak at math.ohiou.edu>

On Sat, Mar 08, 2008 at 08:44:10AM -0500, S Roderick enlightened us:
> >>I was hoping that either via kernel capabilities or SE Linux that we
> >>could avoid this. Both seem to offer exactly the feature we want,
> >>opening raw sockets from unprivileged accounts. But it's really
> >>unclear from all the doc's online how these two interact. Best we
> >>could do was try all the examples and approaches we could find - none
> >>worked.
> >>
> >>I guess I can try trolling the kernel source ... ugh! ... to see if
> >>your recollection is correct. I certainly hope there is another
> >>option ...
> >>
> >>Thanks
> >>S
> >
> >I think Ross is right. At my last contract with IBM some years back,  
> >we
> >were doing some raw socket stuff. ISTR that we had no problems because
> >we were real root applications. IIRC, docs specified root privileges.
> 
> 
> I completely agree with the fact that raw sockets require root  
> privilege, that is the situation we're currently in and don't want to  
> continue with. But am I then completely misunderstanding when I think  
> that SE Linux can allow non-root access to certain "normally root  
> only" capabilities, on a per process basis? Certainly all the ping- 
> related SE Linux examples online all show precisely this: provide  
> access to raw sockets for a non-root process.
> 

ping is suid root, though.

Matt

-- 
Matt Hyclak
Department of Mathematics 
Department of Social Work
Ohio University
(740) 593-1263