X-Git-Url: http://git.hungrycats.org/cgi-bin/gitweb.cgi?p=xscreensaver;a=blobdiff_plain;f=hacks%2Fsonar.c;h=e2ebf15472978a2523f9d17aba599c6ee2fc2b7b;hp=6b1453398ce7e8a92d96c77622f3877ff363c65f;hb=3f438031d610c7e15fd33876a879b97e290e05fb;hpb=447db08c956099b3b183886729108bf5b364c4b8

diff --git a/hacks/sonar.c b/hacks/sonar.c
index 6b145339..e2ebf154 100644
--- a/hacks/sonar.c
+++ b/hacks/sonar.c
@@ -38,7 +38,7 @@
  * software for any purpose.  It is provided "as is" without express or 
  * implied warranty.
  *
- * $Revision: 1.37 $
+ * $Revision: 1.38 $
  *
  * Version 1.0 April 27, 1998.
  * - Initial version
@@ -950,9 +950,18 @@ init_ping(void)
 	goto ping_init_error;
     }
 
-    /* Create the ICMP socket */
+    /* Create the ICMP socket.  Do this before dropping privs.
 
-    if ((pi->icmpsock = socket(AF_INET, SOCK_RAW, IPPROTO_ICMP)) >= 0) {
+       Raw sockets can only be opened by root (or setuid root), so we
+       only try to do this when the effective uid is 0.
+
+       We used to just always try, and notice the failure.  But apparently
+       that causes "SELinux" to log spurious warnings when running with the
+       "strict" policy.  So to avoid that, we just don't try unless we
+       know it will work.
+     */
+    if (geteuid() == 0 &&
+        (pi->icmpsock = socket(AF_INET, SOCK_RAW, IPPROTO_ICMP)) >= 0) {
       socket_initted_p = True;
     }