Two small patches, deprecating the previous attempt to get "asterisk -r"
working on a system. As per the feedback received from Dominick Grift, this
patch (1.) marks the "asterisk" binary as an application_exec_type so it can be
executed by user domains, and (2.) assigns the asterisk_stream_connect
privilege to the sysadm_t domain.
The latter part is not mandatory - I'm not sure if it is needed to give
sysadm this privilege (if the purpose of the policy is to support services
as-is, then yes, but if you want to keep it minimalistic, then no). If not,
just ignore this second patch-part then ;-)
Wkr,
Sven Vermeulen
One of the most frequently ran commands by asterisk administrators is to
run 'asterisk -r' to manipulate (through the asterisk socket) the
asterisk daemon (sort-of asterisk-specific shell support).
We mark the asterisk_exec_t type as an application_exec_type so that it
can be executed by the user domains.
Signed-off-by: Sven Vermeulen <[email protected]>
---
asterisk.te | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/asterisk.te b/asterisk.te
index b3b0176..6f6c42c 100644
--- a/asterisk.te
+++ b/asterisk.te
@@ -8,6 +8,7 @@ policy_module(asterisk, 1.9.0)
type asterisk_t;
type asterisk_exec_t;
init_daemon_domain(asterisk_t, asterisk_exec_t)
+application_executable_file(asterisk_exec_t)
type asterisk_etc_t;
files_config_file(asterisk_etc_t)
--
1.7.3.4
When administering asterisk, one often ran command is "asterisk -r"
which yields the asterisk CLI (when the asterisk server is running). To
be able to run this, you need asterisk_stream_connect privileges.
Assign these privileges to the sysadm_r
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/roles/sysadm.te | 4 ++++
1 files changed, 4 insertions(+), 0 deletions(-)
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 954417f..7a5c40b 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -86,6 +86,10 @@ optional_policy(`
')
optional_policy(`
+ asterisk_stream_connect(sysadm_t)
+')
+
+optional_policy(`
auditadm_role_change(sysadm_r)
')
--
1.7.3.4
On 10/03/11 15:22, Sven Vermeulen wrote:
> Two small patches, deprecating the previous attempt to get "asterisk -r"
> working on a system. As per the feedback received from Dominick Grift, this
> patch (1.) marks the "asterisk" binary as an application_exec_type so it can be
> executed by user domains, and (2.) assigns the asterisk_stream_connect
> privilege to the sysadm_t domain.
>
> The latter part is not mandatory - I'm not sure if it is needed to give
> sysadm this privilege (if the purpose of the policy is to support services
> as-is, then yes, but if you want to keep it minimalistic, then no). If not,
> just ignore this second patch-part then ;-)
This set is merged.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com