The following set of patches updates the asterisk_t domain definition:
1. Add "chown" capability to asterisk domain
2. Allow asterisk to listen/accept on its control socket
3. Allow asterisk read access to /dev/random
4. Add interfaces to manage attributes of asterisk log and pid files
5. Allow initrc to manage asterisk log and pid files
Wkr,
Sven Vermeulen
During startup, asterisk verifies the ownership of its run-directory and, if not set correctly, changes it accordingly.
Signed-off-by: Sven Vermeulen <[email protected]>
---
asterisk.te | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/asterisk.te b/asterisk.te
index 22d7cdf..c702879 100644
--- a/asterisk.te
+++ b/asterisk.te
@@ -40,7 +40,7 @@ files_pid_file(asterisk_var_run_t)
#
# dac_override for /var/run/asterisk
-allow asterisk_t self:capability { dac_override setgid setuid sys_nice net_admin };
+allow asterisk_t self:capability { dac_override setgid setuid sys_nice net_admin chown };
dontaudit asterisk_t self:capability sys_tty_config;
allow asterisk_t self:process { getsched setsched signal_perms getcap setcap };
allow asterisk_t self:fifo_file rw_fifo_file_perms;
--
1.7.3.4
Signed-off-by: Sven Vermeulen <[email protected]>
---
asterisk.te | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/asterisk.te b/asterisk.te
index c702879..aac5a41 100644
--- a/asterisk.te
+++ b/asterisk.te
@@ -46,7 +46,7 @@ allow asterisk_t self:process { getsched setsched signal_perms getcap setcap };
allow asterisk_t self:fifo_file rw_fifo_file_perms;
allow asterisk_t self:sem create_sem_perms;
allow asterisk_t self:shm create_shm_perms;
-allow asterisk_t self:unix_stream_socket connectto;
+allow asterisk_t self:unix_stream_socket { connectto listen accept };
allow asterisk_t self:tcp_socket create_stream_socket_perms;
allow asterisk_t self:udp_socket create_socket_perms;
--
1.7.3.4
Signed-off-by: Sven Vermeulen <[email protected]>
---
asterisk.te | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/asterisk.te b/asterisk.te
index aac5a41..dda6c5e 100644
--- a/asterisk.te
+++ b/asterisk.te
@@ -117,6 +117,7 @@ dev_rw_generic_usb_dev(asterisk_t)
dev_read_sysfs(asterisk_t)
dev_read_sound(asterisk_t)
dev_write_sound(asterisk_t)
+dev_read_rand(asterisk_t)
dev_read_urand(asterisk_t)
domain_use_interactive_fds(asterisk_t)
--
1.7.3.4
Signed-off-by: Sven Vermeulen <[email protected]>
---
asterisk.if | 43 +++++++++++++++++++++++++++++++++++++++++++
1 files changed, 43 insertions(+), 0 deletions(-)
diff --git a/asterisk.if b/asterisk.if
index 8b8143e..bd6273f 100644
--- a/asterisk.if
+++ b/asterisk.if
@@ -90,3 +90,46 @@ interface(`asterisk_admin',`
files_list_pids($1)
admin_pattern($1, asterisk_var_run_t)
')
+
+#######################################
+## <summary>
+## Allow changing the attributes of the asterisk log files and directories
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to change the attributes of the asterisk log files and
+## directories
+## </summary>
+## </param>
+#
+interface(`asterisk_setattr_logs',`
+ gen_require(`
+ type asterisk_log_t;
+ ')
+
+ setattr_files_pattern($1, asterisk_log_t, asterisk_log_t)
+ setattr_dirs_pattern($1, asterisk_log_t, asterisk_log_t)
+
+ logging_search_logs($1)
+')
+
+#######################################
+## <summary>
+## Allow changing the attributes of the asterisk PID files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to change the attributes of the asterisk PID files
+## </summary>
+## </param>
+#
+interface(`asterisk_setattr_pid_files',`
+ gen_require(`
+ type asterisk_var_run_t;
+ ')
+
+ setattr_files_pattern($1, asterisk_var_run_t, asterisk_var_run_t)
+ setattr_dirs_pattern($1, asterisk_var_run_t, asterisk_var_run_t)
+
+ files_search_pids($1)
+')
--
1.7.3.4
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/system/init.te | 5 +++++
1 files changed, 5 insertions(+), 0 deletions(-)
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index b7fcbe3..dd37cf1 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -571,6 +571,11 @@ optional_policy(`
')
optional_policy(`
+ asterisk_setattr_logs(initrc_t)
+ asterisk_setattr_pid_files(initrc_t)
+')
+
+optional_policy(`
bind_read_config(initrc_t)
# for chmod in start script
--
1.7.3.4
On 03/26/12 14:49, Sven Vermeulen wrote:
> During startup, asterisk verifies the ownership of its run-directory and, if not set correctly, changes it accordingly.
>
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> asterisk.te | 2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/asterisk.te b/asterisk.te
> index 22d7cdf..c702879 100644
> --- a/asterisk.te
> +++ b/asterisk.te
> @@ -40,7 +40,7 @@ files_pid_file(asterisk_var_run_t)
> #
>
> # dac_override for /var/run/asterisk
> -allow asterisk_t self:capability { dac_override setgid setuid sys_nice net_admin };
> +allow asterisk_t self:capability { dac_override setgid setuid sys_nice net_admin chown };
> dontaudit asterisk_t self:capability sys_tty_config;
> allow asterisk_t self:process { getsched setsched signal_perms getcap setcap };
> allow asterisk_t self:fifo_file rw_fifo_file_perms;
Merged.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 03/26/12 14:49, Sven Vermeulen wrote:
>
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> asterisk.te | 2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/asterisk.te b/asterisk.te
> index c702879..aac5a41 100644
> --- a/asterisk.te
> +++ b/asterisk.te
> @@ -46,7 +46,7 @@ allow asterisk_t self:process { getsched setsched signal_perms getcap setcap };
> allow asterisk_t self:fifo_file rw_fifo_file_perms;
> allow asterisk_t self:sem create_sem_perms;
> allow asterisk_t self:shm create_shm_perms;
> -allow asterisk_t self:unix_stream_socket connectto;
> +allow asterisk_t self:unix_stream_socket { connectto listen accept };
> allow asterisk_t self:tcp_socket create_stream_socket_perms;
> allow asterisk_t self:udp_socket create_socket_perms;
Merged.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 03/26/12 14:50, Sven Vermeulen wrote:
>
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> asterisk.te | 1 +
> 1 files changed, 1 insertions(+), 0 deletions(-)
>
> diff --git a/asterisk.te b/asterisk.te
> index aac5a41..dda6c5e 100644
> --- a/asterisk.te
> +++ b/asterisk.te
> @@ -117,6 +117,7 @@ dev_rw_generic_usb_dev(asterisk_t)
> dev_read_sysfs(asterisk_t)
> dev_read_sound(asterisk_t)
> dev_write_sound(asterisk_t)
> +dev_read_rand(asterisk_t)
> dev_read_urand(asterisk_t)
>
> domain_use_interactive_fds(asterisk_t)
Merged.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 03/26/12 14:50, Sven Vermeulen wrote:
>
>
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> asterisk.if | 43 +++++++++++++++++++++++++++++++++++++++++++
> 1 files changed, 43 insertions(+), 0 deletions(-)
Merged. Fixed whitespace and rearranged interfaces.
> diff --git a/asterisk.if b/asterisk.if
> index 8b8143e..bd6273f 100644
> --- a/asterisk.if
> +++ b/asterisk.if
> @@ -90,3 +90,46 @@ interface(`asterisk_admin',`
> files_list_pids($1)
> admin_pattern($1, asterisk_var_run_t)
> ')
> +
> +#######################################
> +## <summary>
> +## Allow changing the attributes of the asterisk log files and directories
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to change the attributes of the asterisk log files and
> +## directories
> +## </summary>
> +## </param>
> +#
> +interface(`asterisk_setattr_logs',`
> + gen_require(`
> + type asterisk_log_t;
> + ')
> +
> + setattr_files_pattern($1, asterisk_log_t, asterisk_log_t)
> + setattr_dirs_pattern($1, asterisk_log_t, asterisk_log_t)
> +
> + logging_search_logs($1)
> +')
> +
> +#######################################
> +## <summary>
> +## Allow changing the attributes of the asterisk PID files
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to change the attributes of the asterisk PID files
> +## </summary>
> +## </param>
> +#
> +interface(`asterisk_setattr_pid_files',`
> + gen_require(`
> + type asterisk_var_run_t;
> + ')
> +
> + setattr_files_pattern($1, asterisk_var_run_t, asterisk_var_run_t)
> + setattr_dirs_pattern($1, asterisk_var_run_t, asterisk_var_run_t)
> +
> + files_search_pids($1)
> +')
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 03/26/12 14:50, Sven Vermeulen wrote:
>
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> policy/modules/system/init.te | 5 +++++
> 1 files changed, 5 insertions(+), 0 deletions(-)
>
> diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
> index b7fcbe3..dd37cf1 100644
> --- a/policy/modules/system/init.te
> +++ b/policy/modules/system/init.te
> @@ -571,6 +571,11 @@ optional_policy(`
> ')
>
> optional_policy(`
> + asterisk_setattr_logs(initrc_t)
> + asterisk_setattr_pid_files(initrc_t)
> +')
> +
> +optional_policy(`
> bind_read_config(initrc_t)
>
> # for chmod in start script
Merged.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com