From: dominick.grift@gmail.com (Dominick Grift) Date: Mon, 26 Sep 2011 22:23:06 +0200 Subject: [refpolicy] [PATCH 1/2] Asterisk admin must be able to run 'asterisk -r' In-Reply-To: <20110926195713.GB15513@siphos.be> References: <20110926195542.GA15513@siphos.be> <20110926195713.GB15513@siphos.be> Message-ID: <1317068586.2861.11.camel@x220.mydomain.internal> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Mon, 2011-09-26 at 21:57 +0200, Sven Vermeulen wrote: > One of the most frequently ran commands by asterisk administrators is to > run 'asterisk -r' to manipulate (through the asterisk socket) the > asterisk daemon (sort-of asterisk-specific shell support). > > We allow the asterisk administrator (through asterisk_admin) to execute > the asterisk binary (no domtrans) and connect through the socket. In theory looks good but i wonder if this will work in practice since you may have tested it with sysadm_t that is not a good representation of reality. These admin interfaces shouldnt be called by sysadm_t, they should instead be used with userdom_base_user_template. like; mkdir myasteriskadm; cd myasteriskadm; echo "policy_module(myasteriskadm, 1.0.0)" userdom_base_user_template(myasteriskadm) role myasteriskadm_r; asterisk_admin(myasteriskadm_t, myasteriskadm_r) " > myasteriskadm.te; and then for example: echo "policy_module(mystaff, 1.0.0) gen_require(\` role staff_r, myasteriskadm_r; ') allow staff_r myasteriskadm_r;" > mystaff.te; semanage user -m -L s0 -r s0-s0:c0.c1023 -R "staff_r system_r myasteriskadm_r sysadm_r" -P user staff_u useradd -Z staff_u joe sudo -t myasteriskadm_t -r myasteriskadm_r /etc/init.d/asterisk start disclaimer: example have my have errors since i did it off the top of my mind. > > Signed-off-by: Sven Vermeulen > --- > asterisk.if | 4 ++++ > 1 files changed, 4 insertions(+), 0 deletions(-) > > diff --git a/asterisk.if b/asterisk.if > index 8b8143e..3164850 100644 > --- a/asterisk.if > +++ b/asterisk.if > @@ -62,6 +62,7 @@ interface(`asterisk_admin',` > type asterisk_etc_t, asterisk_tmp_t, asterisk_log_t; > type asterisk_var_lib_t; > type asterisk_initrc_exec_t; > + type asterisk_exec_t; > ') > > allow $1 asterisk_t:process { ptrace signal_perms getattr }; > @@ -89,4 +90,7 @@ interface(`asterisk_admin',` > > files_list_pids($1) > admin_pattern($1, asterisk_var_run_t) > + > + can_exec($1, asterisk_exec_t) > + asterisk_stream_connect($1) > ') -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20110926/1463dc90/attachment.bin