CentOS - Mar 2008 - Unable open raw socket in CentOS 5 - SE Linux and kernelcapability interaction?

The raw socket option in the kernel only allows privileged processes to open
them.

Selinux controls which privileged processes have the right to.

To allow an unprivileged process to access a raw socket you will need to write a
proxy daemon that runs privileged and is allowed in selinux to create a raw
socket. This daemon can then provide a unix socket to unprivileged processes
whose access can be granted with it's security modes and ownership either
manually or through udev.

-Ross


----- Original Message -----
From: centos-bounces at centos.org <centos-bounces at centos.org>
To: CentOS mailing list <centos at centos.org>
Sent: Fri Mar 07 17:44:15 2008
Subject: Re: [CentOS] Unable open raw socket in CentOS 5 - SE Linux and
kernelcapability interaction?

What are your current SELinux settings??

cat /etc/selinux/config

S Roderick wrote:
> Does anyone have any idea on this one? Based on everything we've tried 
> with kernel capabilities and SE Linux parameters, we're missing 
> something. Have tried everything we can find online.
>
> Thanks
> Stephen
>
> On Mar 3, 2008, at 09:14 , S Roderick wrote:
>
>> I am wondering what is the interaction between SE Linux and the 
>> kernel "capabilities" in CentOS 5.1? I'm trying to open a
raw socket
>> and keep getting permission denied errors. I've tried using the
lcap
>> library to find that CAP_SETPCAP appears to be off in the kernel. For 
>> compliance reasons, I don't want to turn this on. I've also
tried a
>> hand-crafted SE Linux module policy. I have verified that the test 
>> program runs in the correct SE Linux domain and it generates no audit 
>> errors, but it still fails to open the port with permission denied.
>>
>> It appears that SE Linux is not preventing the socket being created 
>> (as evidenced by the lack of audit messages), so what am I missing? 
>> Do I still need to modify capabilities within the program, even if 
>> I'm using an SE Linux policy?
>>
>> Thanks
>> S
>>
>> Source file
>>
>> #include <stdio.h>
>> #include <unistd.h>
>> #include <errno.h>
>> #include <string.h>
>> #include <sys/socket.h>
>> #include <sys/types.h>
>> #include <sys/prctl.h>
>> #include <netinet/in.h>
>>
>> int
>> main(void)
>> {
>>     int fd = socket(PF_INET, SOCK_RAW, IPPROTO_TCP);
>>     if (-1 == fd)
>>     {
>>         printf("Failed to open raw socket: %d=%s\n", errno, 
>> strerror(errno));
>>     }
>>     else
>>     {
>>         printf("Socket opened successfully\n");
>>         close(fd);
>>     }
>>     return 0;
>> }
>>
>>
>> SElinux .te file
>>
>> policy_module(rawsox,1.0.0)
>>
>> ########################################
>> # Declarations
>>
>> type rawsox_t;
>> type rawsox_exec_t;
>> domain_type(rawsox_t)
>> domain_entry_file(rawsox_t, rawsox_exec_t)
>> domain_auto_trans(unconfined_t,rawsox_exec_t,rawsox_t)
>>
>> ########################################
>> # Rawsox local policy
>>
>> # these two didn't help
>> #corenet_raw_sendrecv_all_if( rawsox_t );
>> #corenet_raw_sendrecv_all_nodes( rawsox_t );
>>
>> require {
>>       type lib_t;
>>       type ld_so_t;
>>       type ld_so_cache_t;
>>       type usr_t;
>>       type devpts_t;
>>       type rawsox_t;
>>       type etc_t;
>>       class lnk_file read;
>>       class dir search;
>>       class file { read getattr execute };
>>       class chr_file { read write getattr };
>>       class rawip_socket create;
>>     class capability net_raw;
>> }
>>
>> #============= rawsox_t =============>> allow rawsox_t
devpts_t:chr_file { read write getattr };
>> allow rawsox_t etc_t:dir search;
>> allow rawsox_t ld_so_cache_t:file { read getattr };
>> allow rawsox_t ld_so_t:file read;
>> allow rawsox_t lib_t:dir search;
>> allow rawsox_t lib_t:file { read getattr execute };
>> allow rawsox_t lib_t:lnk_file read;
>> allow rawsox_t usr_t:dir search;
>>
>> allow rawsox_t self:capability { net_raw setuid };
>> allow rawsox_t self:rawip_socket { create ioctl read write bind 
>> getopt setopt };
>> allow rawsox_t self:unix_stream_socket { create_socket_perms };
>>
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
_______________________________________________
CentOS mailing list
CentOS at centos.org
http://lists.centos.org/mailman/listinfo/centos

______________________________________________________________________
This e-mail, and any attachments thereto, is intended only for use by
the addressee(s) named herein and may contain legally privileged
and/or confidential information. If you are not the intended recipient
of this e-mail, you are hereby notified that any dissemination,
distribution or copying of this e-mail, and any attachments thereto,
is strictly prohibited. If you have received this e-mail in error,
please immediately notify the sender and permanently delete the
original and any copy or printout thereof.

-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.centos.org/pipermail/centos/attachments/20080307/9de1cb69/attachment-0002.html>

>
> The raw socket option in the kernel only allows privileged processes  
> to open them.
>
>
> Selinux controls which privileged processes have the right to.
>
> To allow an unprivileged process to access a raw socket you will  
> need to write a proxy daemon that runs privileged and is allowed in  
> selinux to create a raw socket. This daemon can then provide a unix  
> socket to unprivileged processes whose access can be granted with  
> it's security modes and ownership either manually or through udev.
>
I thought that both the kernel capability approach and SE Linux were  
designed to do just this: allow a typically "unpriviledged" process  
access to a restricted subset of capabilities that normally require  
rootpriviledge. Is this not correct?

In your last paragraph above, when you say "unprivileged process" do  
you mean a standard unix process (ie an "unconfined_t" process in  
CentOS SE Linux) or do you mean any non-root process? My understanding  
was (and please correct me if I'm wrong), is that I can take a known  
process (eg many online examples use 'ping') and provide it with  
additional priviledges (eg raw socket access) that a non-root (in that  
sense, unprivileged) process normally wouldn't have.
>
> ----- Original Message -----
> From: centos-bounces at centos.org <centos-bounces at centos.org>
> To: CentOS mailing list <centos at centos.org>
> Sent: Fri Mar 07 17:44:15 2008
> Subject: Re: [CentOS] Unable open raw socket in CentOS 5 - SE Linux  
> and kernelcapability interaction?
>
> What are your current SELinux settings??
>
> cat /etc/selinux/config
>
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#	enforcing - SELinux security policy is enforced.
#	permissive - SELinux prints warnings instead of enforcing.
#	disabled - SELinux is fully disabled.
SELINUX=permissive
# SELINUXTYPE= type of policy in use. Possible values are:
#	targeted - Only targeted network daemons are protected.
#	strict - Full SELinux protection.
SELINUXTYPE=targeted

# SETLOCALDEFS= Check local definition changes
SETLOCALDEFS=0

-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.centos.org/pipermail/centos/attachments/20080307/79d97a67/attachment-0002.html>