From: dominick.grift@gmail.com (Dominick Grift) Date: Wed, 17 Apr 2013 18:35:52 +0200 Subject: [refpolicy] [PATCH 01/13] Allow asterisk admins to execute asterisk binary directly In-Reply-To: <1365669283-22005-2-git-send-email-sven.vermeulen@siphos.be> References: <1365669283-22005-1-git-send-email-sven.vermeulen@siphos.be> <1365669283-22005-2-git-send-email-sven.vermeulen@siphos.be> Message-ID: <1366216552.2803.36.camel@x220.localdomain> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Thu, 2013-04-11 at 10:34 +0200, Sven Vermeulen wrote: > Administrating Asterisk requires being able to run the asterisk binary (no > transition needed, it acts as a client). For instance > http://www.voip-info.org/wiki/view/Asterisk+CLI shows an overview of common CLI > commands ran by administrators through the asterisk binary. > > Thus add in asterisk_exec($1) into the asterisk_admin() definition. Merged with changes, thanks Moved asterisk exec to the right place and edited the interface xml header > > Signed-off-by: Sven Vermeulen > --- > asterisk.if | 21 +++++++++++++++++++++ > 1 file changed, 21 insertions(+) > > diff --git a/asterisk.if b/asterisk.if > index 7268a04..26c8621 100644 > --- a/asterisk.if > +++ b/asterisk.if > @@ -113,6 +113,8 @@ interface(`asterisk_admin',` > role_transition $2 asterisk_initrc_exec_t system_r; > allow $2 system_r; > > + asterisk_exec($1) > + > files_list_tmp($1) > admin_pattern($1, asterisk_tmp_t) > > @@ -131,3 +133,22 @@ interface(`asterisk_admin',` > files_list_pids($1) > admin_pattern($1, asterisk_var_run_t) > ') > + > +###################################### > +## > +## Execute asterisk is the caller domain. > +## > +## > +## > +## Domain allowed to execute asterisk > +## > +## > +# > +interface(`asterisk_exec',` > + gen_require(` > + type asterisk_exec_t; > + ') > + > + corecmd_search_bin($1) > + can_exec($1, asterisk_exec_t) > +')