RE: Unable open raw socket in CentOS 5 - SE Linux and kernelcapability interaction?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



Does it run as 'root'?

-Ross
 

> -----Original Message-----
> From: centos-bounces@xxxxxxxxxx 
> [mailto:centos-bounces@xxxxxxxxxx] On Behalf Of S Roderick
> Sent: Friday, March 07, 2008 3:28 PM
> To: CentOS mailing list
> Subject: Re:  Unable open raw socket in CentOS 5 - SE 
> Linux and kernelcapability interaction?
> 
> Does anyone have any idea on this one? Based on everything 
> we've tried  
> with kernel capabilities and SE Linux parameters, we're missing  
> something. Have tried everything we can find online.
> 
> Thanks
> Stephen
> 
> On Mar 3, 2008, at 09:14 , S Roderick wrote:
> 
> > I am wondering what is the interaction between SE Linux and the  
> > kernel "capabilities" in CentOS 5.1? I'm trying to open a 
> raw socket  
> > and keep getting permission denied errors. I've tried using 
> the lcap  
> > library to find that CAP_SETPCAP appears to be off in the kernel.  
> > For compliance reasons, I don't want to turn this on. I've also  
> > tried a hand-crafted SE Linux module policy. I have verified that  
> > the test program runs in the correct SE Linux domain and it  
> > generates no audit errors, but it still fails to open the 
> port with  
> > permission denied.
> >
> > It appears that SE Linux is not preventing the socket being 
> created  
> > (as evidenced by the lack of audit messages), so what am I 
> missing?  
> > Do I still need to modify capabilities within the program, even if  
> > I'm using an SE Linux policy?
> >
> > Thanks
> > S
> >
> > Source file
> >
> > #include <stdio.h>
> > #include <unistd.h>
> > #include <errno.h>
> > #include <string.h>
> > #include <sys/socket.h>
> > #include <sys/types.h>
> > #include <sys/prctl.h>
> > #include <netinet/in.h>
> >
> > int
> > main(void)
> > {
> > 	int fd = socket(PF_INET, SOCK_RAW, IPPROTO_TCP);
> > 	if (-1 == fd)
> > 	{
> > 		printf("Failed to open raw socket: %d=%s\n", errno,  
> > strerror(errno));
> > 	}
> > 	else
> > 	{
> > 		printf("Socket opened successfully\n");
> > 		close(fd);
> > 	}
> > 	return 0;
> > }
> >
> >
> > SElinux .te file
> >
> > policy_module(rawsox,1.0.0)
> >
> > ########################################
> > # Declarations
> >
> > type rawsox_t;
> > type rawsox_exec_t;
> > domain_type(rawsox_t)
> > domain_entry_file(rawsox_t, rawsox_exec_t)
> > domain_auto_trans(unconfined_t,rawsox_exec_t,rawsox_t)
> >
> > ########################################
> > # Rawsox local policy
> >
> > # these two didn't help
> > #corenet_raw_sendrecv_all_if( rawsox_t );
> > #corenet_raw_sendrecv_all_nodes( rawsox_t );
> >
> > require {
> >       type lib_t;
> >       type ld_so_t;
> >       type ld_so_cache_t;
> >       type usr_t;
> >       type devpts_t;
> >       type rawsox_t;
> >       type etc_t;
> >       class lnk_file read;
> >       class dir search;
> >       class file { read getattr execute };
> >       class chr_file { read write getattr };
> >       class rawip_socket create;
> > 	class capability net_raw;
> > }
> >
> > #============= rawsox_t ==============
> > allow rawsox_t devpts_t:chr_file { read write getattr };
> > allow rawsox_t etc_t:dir search;
> > allow rawsox_t ld_so_cache_t:file { read getattr };
> > allow rawsox_t ld_so_t:file read;
> > allow rawsox_t lib_t:dir search;
> > allow rawsox_t lib_t:file { read getattr execute };
> > allow rawsox_t lib_t:lnk_file read;
> > allow rawsox_t usr_t:dir search;
> >
> > allow rawsox_t self:capability { net_raw setuid };
> > allow rawsox_t self:rawip_socket { create ioctl read write bind  
> > getopt setopt };
> > allow rawsox_t self:unix_stream_socket { create_socket_perms };
> >
> 
> _______________________________________________
> CentOS mailing list
> CentOS@xxxxxxxxxx
> http://lists.centos.org/mailman/listinfo/centos
> 

______________________________________________________________________
This e-mail, and any attachments thereto, is intended only for use by
the addressee(s) named herein and may contain legally privileged
and/or confidential information. If you are not the intended recipient
of this e-mail, you are hereby notified that any dissemination,
distribution or copying of this e-mail, and any attachments thereto,
is strictly prohibited. If you have received this e-mail in error,
please immediately notify the sender and permanently delete the
original and any copy or printout thereof.

<<attachment: smime.p7s>>

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux