Re: [CentOS] Unable open raw socket in CentOS 5 - SE Linux and kernelcapability interaction?

Fri, 07 Mar 2008 15:21:04 -0800
The raw socket option in the kernel only allows privileged processes to open them. 


Selinux controls which privileged processes have the right to.


To allow an unprivileged process to access a raw socket you will  
need to write a proxy daemon that runs privileged and is allowed in  
selinux to create a raw socket. This daemon can then provide a unix  
socket to unprivileged processes whose access can be granted with  
it's security modes and ownership either manually or through udev.



I thought that both the kernel capability approach and SE Linux were  
designed to do just this: allow a typically "unpriviledged" process  
access to a restricted subset of capabilities that normally require  
rootpriviledge. Is this not correct?



In your last paragraph above, when you say "unprivileged process" do  
you mean a standard unix process (ie an "unconfined_t" process in  
CentOS SE Linux) or do you mean any non-root process? My understanding  
was (and please correct me if I'm wrong), is that I can take a known  
process (eg many online examples use 'ping') and provide it with  
additional priviledges (eg raw socket access) that a non-root (in that  
sense, unprivileged) process normally wouldn't have.


----- Original Message -----
From: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
To: CentOS mailing list <[email protected]>
Sent: Fri Mar 07 17:44:15 2008

Subject: Re: [CentOS] Unable open raw socket in CentOS 5 - SE Linux  
and kernelcapability interaction?


What are your current SELinux settings??

cat /etc/selinux/config



# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - SELinux is fully disabled.
SELINUX=permissive
# SELINUXTYPE= type of policy in use. Possible values are:
#       targeted - Only targeted network daemons are protected.
#       strict - Full SELinux protection.
SELINUXTYPE=targeted

# SETLOCALDEFS= Check local definition changes
SETLOCALDEFS=0


_______________________________________________
CentOS mailing list
[email protected]
http://lists.centos.org/mailman/listinfo/centos






















					Reply via email to