[refpolicy] [PATCH 1/2] Asterisk admin must be able to run 'asterisk -r'

Dominick Grift dominick.grift at gmail.com
Mon Sep 26 15:23:06 CDT 2011


On Mon, 2011-09-26 at 21:57 +0200, Sven Vermeulen wrote:
> One of the most frequently ran commands by asterisk administrators is to
> run 'asterisk -r' to manipulate (through the asterisk socket) the
> asterisk daemon (sort-of asterisk-specific shell support).
> 
> We allow the asterisk administrator (through asterisk_admin) to execute
> the asterisk binary (no domtrans) and connect through the socket.

In theory looks good but i wonder if this will work in practice since
you may have tested it with sysadm_t that is not a good representation
of reality. These admin interfaces shouldnt be called by sysadm_t, they
should instead be used with userdom_base_user_template.

like;

mkdir myasteriskadm; cd myasteriskadm;

echo "policy_module(myasteriskadm, 1.0.0)"
userdom_base_user_template(myasteriskadm) role myasteriskadm_r;
asterisk_admin(myasteriskadm_t, myasteriskadm_r) " > myasteriskadm.te;

and then for example:

echo "policy_module(mystaff, 1.0.0) gen_require(\` role staff_r,
myasteriskadm_r; ') allow staff_r myasteriskadm_r;" > mystaff.te;

semanage user -m -L s0 -r s0-s0:c0.c1023 -R "staff_r system_r
myasteriskadm_r sysadm_r" -P user staff_u

useradd -Z staff_u joe

sudo -t myasteriskadm_t -r myasteriskadm_r /etc/init.d/asterisk start

disclaimer:  example have my have errors since i did it off the top of
my mind.

> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen at siphos.be>
> ---
>  asterisk.if |    4 ++++
>  1 files changed, 4 insertions(+), 0 deletions(-)
> 
> diff --git a/asterisk.if b/asterisk.if
> index 8b8143e..3164850 100644
> --- a/asterisk.if
> +++ b/asterisk.if
> @@ -62,6 +62,7 @@ interface(`asterisk_admin',`
>  		type asterisk_etc_t, asterisk_tmp_t, asterisk_log_t;
>  		type asterisk_var_lib_t;
>  		type asterisk_initrc_exec_t;
> +		type asterisk_exec_t;
>  	')
>  
>  	allow $1 asterisk_t:process { ptrace signal_perms getattr };
> @@ -89,4 +90,7 @@ interface(`asterisk_admin',`
>  
>  	files_list_pids($1)
>  	admin_pattern($1, asterisk_var_run_t)
> +
> +	can_exec($1, asterisk_exec_t)
> +	asterisk_stream_connect($1)
>  ')

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20110926/1463dc90/attachment.bin 


More information about the refpolicy mailing list