[refpolicy] [PATCH 1/2] Asterisk admin must be able to run 'asterisk -r'

Daniel J Walsh dwalsh at redhat.com
Tue Sep 27 08:02:58 CDT 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/26/2011 03:57 PM, Sven Vermeulen wrote:
> One of the most frequently ran commands by asterisk administrators
> is to run 'asterisk -r' to manipulate (through the asterisk socket)
> the asterisk daemon (sort-of asterisk-specific shell support).
> 
> We allow the asterisk administrator (through asterisk_admin) to
> execute the asterisk binary (no domtrans) and connect through the
> socket.
> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen at siphos.be> --- 
> asterisk.if |    4 ++++ 1 files changed, 4 insertions(+), 0
> deletions(-)
> 
> diff --git a/asterisk.if b/asterisk.if index 8b8143e..3164850
> 100644 --- a/asterisk.if +++ b/asterisk.if @@ -62,6 +62,7 @@
> interface(`asterisk_admin',` type asterisk_etc_t, asterisk_tmp_t,
> asterisk_log_t; type asterisk_var_lib_t; type
> asterisk_initrc_exec_t; +		type asterisk_exec_t; ')
> 
> allow $1 asterisk_t:process { ptrace signal_perms getattr }; @@
> -89,4 +90,7 @@ interface(`asterisk_admin',`
> 
> files_list_pids($1) admin_pattern($1, asterisk_var_run_t) + +
> can_exec($1, asterisk_exec_t) +	asterisk_stream_connect($1) ')


An asterisk admin should not be running the application in his his own
context, he should be allowed to restart it in the asterisk_t domain
which is why we have asterisk_initrc_exec_t. And are moving towards
using asterisk_systemctl() for systemd controls.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk6ByYIACgkQrlYvE4MpobPLkgCgs7wvSQRK9e7JMeUELDtvSnUn
6GgAoKLKT27GVU28lapZHvC4bFTdLd0h
=MdXu
-----END PGP SIGNATURE-----


More information about the refpolicy mailing list