From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Mon, 26 Sep 2011 21:57:13 +0200
Subject: [refpolicy] [PATCH 1/2] Asterisk admin must be able to run
	'asterisk -r'
In-Reply-To: <20110926195542.GA15513@siphos.be>
References: <20110926195542.GA15513@siphos.be>
Message-ID: <20110926195713.GB15513@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

One of the most frequently ran commands by asterisk administrators is to
run 'asterisk -r' to manipulate (through the asterisk socket) the
asterisk daemon (sort-of asterisk-specific shell support).

We allow the asterisk administrator (through asterisk_admin) to execute
the asterisk binary (no domtrans) and connect through the socket.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 asterisk.if |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

diff --git a/asterisk.if b/asterisk.if
index 8b8143e..3164850 100644
--- a/asterisk.if
+++ b/asterisk.if
@@ -62,6 +62,7 @@ interface(`asterisk_admin',`
 		type asterisk_etc_t, asterisk_tmp_t, asterisk_log_t;
 		type asterisk_var_lib_t;
 		type asterisk_initrc_exec_t;
+		type asterisk_exec_t;
 	')
 
 	allow $1 asterisk_t:process { ptrace signal_perms getattr };
@@ -89,4 +90,7 @@ interface(`asterisk_admin',`
 
 	files_list_pids($1)
 	admin_pattern($1, asterisk_var_run_t)
+
+	can_exec($1, asterisk_exec_t)
+	asterisk_stream_connect($1)
 ')
-- 
1.7.3.4