From: dwalsh@redhat.com (Daniel J Walsh) Date: Tue, 27 Sep 2011 09:02:58 -0400 Subject: [refpolicy] [PATCH 1/2] Asterisk admin must be able to run 'asterisk -r' In-Reply-To: <20110926195713.GB15513@siphos.be> References: <20110926195542.GA15513@siphos.be> <20110926195713.GB15513@siphos.be> Message-ID: <4E81C982.7000507@redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/26/2011 03:57 PM, Sven Vermeulen wrote: > One of the most frequently ran commands by asterisk administrators > is to run 'asterisk -r' to manipulate (through the asterisk socket) > the asterisk daemon (sort-of asterisk-specific shell support). > > We allow the asterisk administrator (through asterisk_admin) to > execute the asterisk binary (no domtrans) and connect through the > socket. > > Signed-off-by: Sven Vermeulen --- > asterisk.if | 4 ++++ 1 files changed, 4 insertions(+), 0 > deletions(-) > > diff --git a/asterisk.if b/asterisk.if index 8b8143e..3164850 > 100644 --- a/asterisk.if +++ b/asterisk.if @@ -62,6 +62,7 @@ > interface(`asterisk_admin',` type asterisk_etc_t, asterisk_tmp_t, > asterisk_log_t; type asterisk_var_lib_t; type > asterisk_initrc_exec_t; + type asterisk_exec_t; ') > > allow $1 asterisk_t:process { ptrace signal_perms getattr }; @@ > -89,4 +90,7 @@ interface(`asterisk_admin',` > > files_list_pids($1) admin_pattern($1, asterisk_var_run_t) + + > can_exec($1, asterisk_exec_t) + asterisk_stream_connect($1) ') An asterisk admin should not be running the application in his his own context, he should be allowed to restart it in the asterisk_t domain which is why we have asterisk_initrc_exec_t. And are moving towards using asterisk_systemctl() for systemd controls. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk6ByYIACgkQrlYvE4MpobPLkgCgs7wvSQRK9e7JMeUELDtvSnUn 6GgAoKLKT27GVU28lapZHvC4bFTdLd0h =MdXu -----END PGP SIGNATURE-----