From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Thu, 11 Apr 2013 10:34:31 +0200 Subject: [refpolicy] [PATCH 01/13] Allow asterisk admins to execute asterisk binary directly In-Reply-To: <1365669283-22005-1-git-send-email-sven.vermeulen@siphos.be> References: <1365669283-22005-1-git-send-email-sven.vermeulen@siphos.be> Message-ID: <1365669283-22005-2-git-send-email-sven.vermeulen@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Administrating Asterisk requires being able to run the asterisk binary (no transition needed, it acts as a client). For instance http://www.voip-info.org/wiki/view/Asterisk+CLI shows an overview of common CLI commands ran by administrators through the asterisk binary. Thus add in asterisk_exec($1) into the asterisk_admin() definition. Signed-off-by: Sven Vermeulen --- asterisk.if | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/asterisk.if b/asterisk.if index 7268a04..26c8621 100644 --- a/asterisk.if +++ b/asterisk.if @@ -113,6 +113,8 @@ interface(`asterisk_admin',` role_transition $2 asterisk_initrc_exec_t system_r; allow $2 system_r; + asterisk_exec($1) + files_list_tmp($1) admin_pattern($1, asterisk_tmp_t) @@ -131,3 +133,22 @@ interface(`asterisk_admin',` files_list_pids($1) admin_pattern($1, asterisk_var_run_t) ') + +###################################### +## +## Execute asterisk is the caller domain. +## +## +## +## Domain allowed to execute asterisk +## +## +# +interface(`asterisk_exec',` + gen_require(` + type asterisk_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, asterisk_exec_t) +') -- 1.8.1.5