On Sat, Mar 08, 2008 at 08:44:10AM -0500, S Roderick enlightened us: > >>I was hoping that either via kernel capabilities or SE Linux that we > >>could avoid this. Both seem to offer exactly the feature we want, > >>opening raw sockets from unprivileged accounts. But it's really > >>unclear from all the doc's online how these two interact. Best we > >>could do was try all the examples and approaches we could find - none > >>worked. > >> > >>I guess I can try trolling the kernel source ... ugh! ... to see if > >>your recollection is correct. I certainly hope there is another > >>option ... > >> > >>Thanks > >>S > > > >I think Ross is right. At my last contract with IBM some years back, > >we > >were doing some raw socket stuff. ISTR that we had no problems because > >we were real root applications. IIRC, docs specified root privileges. > > > I completely agree with the fact that raw sockets require root > privilege, that is the situation we're currently in and don't want to > continue with. But am I then completely misunderstanding when I think > that SE Linux can allow non-root access to certain "normally root > only" capabilities, on a per process basis? Certainly all the ping- > related SE Linux examples online all show precisely this: provide > access to raw sockets for a non-root process. > ping is suid root, though. Matt -- Matt Hyclak Department of Mathematics Department of Social Work Ohio University (740) 593-1263 _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos
Re: Unable open raw socket in CentOS 5 - SE Linux andkernelcapability interaction?
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- To: CentOS mailing list <centos@xxxxxxxxxx>
- Subject: Re: Unable open raw socket in CentOS 5 - SE Linux andkernelcapability interaction?
- From: Matt Hyclak <hyclak@xxxxxxxxxxxxxx>
- Date: Sat, 8 Mar 2008 09:55:16 -0500
- Delivered-to: centos@xxxxxxxxxx
- In-reply-to: <D75D89B1-3ADD-45EA-B011-8BB73EFF8709@xxxxxxx>
- Mail-followup-to: CentOS mailing list <centos@xxxxxxxxxx>
- References: <A20E341B-C46F-42D9-B5BD-C48EA731B9E6@xxxxxxx> <F56E3BE1-9427-4DF8-A563-08D7BD87A1BA@xxxxxxx> <E2BB8074E5500C42984D980D4BD78EF901FAFFCB@xxxxxxxxxxxxxxxxxxxxx> <9D76E328-59F7-4621-AF1C-45DD3CE5D173@xxxxxxx> <E2BB8074E5500C42984D980D4BD78EF901FAFFD2@xxxxxxxxxxxxxxxxxxxxx> <36843F92-FB17-463A-B436-83DFE03CC3AC@xxxxxxx> <1204979624.7571.8.camel@xxxxxxxxxxxxxxxxxxxxxxxxxxxx> <D75D89B1-3ADD-45EA-B011-8BB73EFF8709@xxxxxxx>
- User-agent: Mutt/1.4.1i
- Follow-Ups:
- References:
- Unable open raw socket in CentOS 5 - SE Linux and kernel capability interaction?
- From: S Roderick
- Re: Unable open raw socket in CentOS 5 - SE Linux and kernel capability interaction?
- From: S Roderick
- RE: Unable open raw socket in CentOS 5 - SE Linux and kernelcapability interaction?
- From: Ross S. W. Walker
- Re: Unable open raw socket in CentOS 5 - SE Linux and kernelcapability interaction?
- From: S Roderick
- RE: Unable open raw socket in CentOS 5 - SE Linux andkernelcapability interaction?
- From: Ross S. W. Walker
- Re: Unable open raw socket in CentOS 5 - SE Linux andkernelcapability interaction?
- From: S Roderick
- Re: Unable open raw socket in CentOS 5 - SE Linux andkernelcapability interaction?
- From: William L. Maltby
- Re: Unable open raw socket in CentOS 5 - SE Linux andkernelcapability interaction?
- From: S Roderick
- Unable open raw socket in CentOS 5 - SE Linux and kernel capability interaction?
- Prev by Date: Re: Syntax question: svn propset on multiple file types?
- Next by Date: Re: Getting JRE working in Firefox
- Previous by thread: Re: Unable open raw socket in CentOS 5 - SE Linux andkernelcapability interaction?
- Next by thread: Re: Unable open raw socket in CentOS 5 - SE Linux andkernelcapability interaction?
- Index(es):
 |