From: dominick.grift@gmail.com (Dominick Grift)
Date: Wed, 17 Apr 2013 18:35:52 +0200
Subject: [refpolicy] [PATCH 01/13] Allow asterisk admins to execute
 asterisk binary directly
In-Reply-To: <1365669283-22005-2-git-send-email-sven.vermeulen@siphos.be>
References: <1365669283-22005-1-git-send-email-sven.vermeulen@siphos.be>
	<1365669283-22005-2-git-send-email-sven.vermeulen@siphos.be>
Message-ID: <1366216552.2803.36.camel@x220.localdomain>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Thu, 2013-04-11 at 10:34 +0200, Sven Vermeulen wrote:
> Administrating Asterisk requires being able to run the asterisk binary (no
> transition needed, it acts as a client). For instance
> http://www.voip-info.org/wiki/view/Asterisk+CLI shows an overview of common CLI
> commands ran by administrators through the asterisk binary.
> 
> Thus add in asterisk_exec($1) into the asterisk_admin() definition.

Merged with changes, thanks

Moved asterisk exec to the right place and edited the interface xml
header

> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  asterisk.if | 21 +++++++++++++++++++++
>  1 file changed, 21 insertions(+)
> 
> diff --git a/asterisk.if b/asterisk.if
> index 7268a04..26c8621 100644
> --- a/asterisk.if
> +++ b/asterisk.if
> @@ -113,6 +113,8 @@ interface(`asterisk_admin',`
>  	role_transition $2 asterisk_initrc_exec_t system_r;
>  	allow $2 system_r;
>  
> +	asterisk_exec($1)
> +
>  	files_list_tmp($1)
>  	admin_pattern($1, asterisk_tmp_t)
>  
> @@ -131,3 +133,22 @@ interface(`asterisk_admin',`
>  	files_list_pids($1)
>  	admin_pattern($1, asterisk_var_run_t)
>  ')
> +
> +######################################
> +## <summary>
> +##	Execute asterisk is the caller domain.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed to execute asterisk
> +##	</summary>
> +## </param>
> +#
> +interface(`asterisk_exec',`
> +	gen_require(`
> +		type asterisk_exec_t;
> +	')
> +
> +	corecmd_search_bin($1)
> +	can_exec($1, asterisk_exec_t)
> +')