Re: Unable open raw socket in CentOS 5 - SE Linux andkernelcapability interaction?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



I was hoping that either via kernel capabilities or SE Linux that we
could avoid this. Both seem to offer exactly the feature we want,
opening raw sockets from unprivileged accounts. But it's really
unclear from all the doc's online how these two interact. Best we
could do was try all the examples and approaches we could find - none
worked.

I guess I can try trolling the kernel source ... ugh! ... to see if
your recollection is correct. I certainly hope there is another
option ...

Thanks
S

I think Ross is right. At my last contract with IBM some years back,
we
were doing some raw socket stuff. ISTR that we had no problems because we were real root applications. IIRC, docs specified root privileges.


I completely agree with the fact that raw sockets require root
privilege, that is the situation we're currently in and don't want to
continue with. But am I then completely misunderstanding when I think
that SE Linux can allow non-root access to certain "normally root
only" capabilities, on a per process basis? Certainly all the ping-
related SE Linux examples online all show precisely this: provide
access to raw sockets for a non-root process.


ping is suid root, though.

Agreed, ping normally is. But what the SE Linux examples are showing is that you can remove the potential security hole of having ping be suid root, and use a custom SE Linux module to allow it simply access to raw sockets. Then, comprimising ping gets you only raw socket access and not full root access. At least, this is my understanding ...

S

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux