[refpolicy] [PATCH 1/2] Asterisk admin must be able to run 'asterisk -r'

Sven Vermeulen sven.vermeulen at siphos.be
Mon Sep 26 14:57:13 CDT 2011


One of the most frequently ran commands by asterisk administrators is to
run 'asterisk -r' to manipulate (through the asterisk socket) the
asterisk daemon (sort-of asterisk-specific shell support).

We allow the asterisk administrator (through asterisk_admin) to execute
the asterisk binary (no domtrans) and connect through the socket.

Signed-off-by: Sven Vermeulen <sven.vermeulen at siphos.be>
---
 asterisk.if |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

diff --git a/asterisk.if b/asterisk.if
index 8b8143e..3164850 100644
--- a/asterisk.if
+++ b/asterisk.if
@@ -62,6 +62,7 @@ interface(`asterisk_admin',`
 		type asterisk_etc_t, asterisk_tmp_t, asterisk_log_t;
 		type asterisk_var_lib_t;
 		type asterisk_initrc_exec_t;
+		type asterisk_exec_t;
 	')
 
 	allow $1 asterisk_t:process { ptrace signal_perms getattr };
@@ -89,4 +90,7 @@ interface(`asterisk_admin',`
 
 	files_list_pids($1)
 	admin_pattern($1, asterisk_var_run_t)
+
+	can_exec($1, asterisk_exec_t)
+	asterisk_stream_connect($1)
 ')
-- 
1.7.3.4



More information about the refpolicy mailing list