Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 379323 - sec-policy/selinux-asterisk does not allow socket connections
Summary: sec-policy/selinux-asterisk does not allow socket connections
Status: VERIFIED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Hardened (show other bugs)
Hardware: All Linux
: Highest normal
Assignee: Sven Vermeulen (RETIRED)
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-08-15 20:10 UTC by Matthew Thode ( prometheanfire )
Modified: 2011-10-23 13:14 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2011-08-15 20:10:55 UTC 
I can't use asterisk -r

this selinux module worksforme.




module tempmod 1.0;

require {
        type sysadm_t;
        type asterisk_t;
        class unix_stream_socket { connectto accept };
}

#============= asterisk_t ==============
allow asterisk_t self:unix_stream_socket accept;

#============= sysadm_t ==============
allow sysadm_t asterisk_t:unix_stream_socket connectto;
Comment 1 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2011-08-15 20:24:10 UTC 
I was doing this as sysadm_r...

fml
Comment 2 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2011-08-16 05:12:55 UTC 
Doesn't work in staff_r.

This is what audit2allow gave me without gentoo_wait_requests and gentoo_try_dontaudit off.

module tempmod2 1.0;

require {
        type staff_t;
        type asterisk_t;
        type asterisk_etc_t;
        type asterisk_var_run_t;
        class capability { dac_read_search dac_override };
        class sock_file write;
        class file { read open };
        class unix_stream_socket { connectto accept };
}

#============= asterisk_t ==============
allow asterisk_t self:unix_stream_socket accept;

#============= staff_t ==============
allow staff_t asterisk_etc_t:file { read open };
allow staff_t asterisk_t:unix_stream_socket connectto;
allow staff_t asterisk_var_run_t:sock_file write;
allow staff_t self:capability { dac_read_search dac_override };


type=AVC msg=audit(1313471051.887:392): avc:  denied  { dac_override } for  pid=21668 comm="asterisk" capability=1  scontext=root:staff_r:staff_t tcontext=root:staff_r:staff_t tclass=capability
type=SYSCALL msg=audit(1313471051.887:392): arch=c000003e syscall=4 success=yes exit=0 a0=71a19026b0f0 a1=71a190268b60 a2=71a190268b60 a3=4716840b196 items=0 ppid=18331 pid=21668 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4 comm="asterisk" exe="/usr/sbin/asterisk" subj=root:staff_r:staff_t key=(null)
type=AVC msg=audit(1313471051.887:393): avc:  denied  { dac_read_search } for  pid=21668 comm="asterisk" capability=2  scontext=root:staff_r:staff_t tcontext=root:staff_r:staff_t tclass=capability
type=AVC msg=audit(1313471051.887:393): avc:  denied  { read } for  pid=21668 comm="asterisk" name="asterisk.conf" dev=vda3 ino=7348 scontext=root:staff_r:staff_t tcontext=system_u:object_r:asterisk_etc_t tclass=file
type=AVC msg=audit(1313471051.887:393): avc:  denied  { open } for  pid=21668 comm="asterisk" name="asterisk.conf" dev=vda3 ino=7348 scontext=root:staff_r:staff_t tcontext=system_u:object_r:asterisk_etc_t tclass=file
type=SYSCALL msg=audit(1313471051.887:393): arch=c000003e syscall=2 success=yes exit=4 a0=71a19026b0f0 a1=0 a2=1b6 a3=0 items=0 ppid=18331 pid=21668 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4 comm="asterisk" exe="/usr/sbin/asterisk" subj=root:staff_r:staff_t key=(null)
type=AVC msg=audit(1313471051.887:394): avc:  denied  { write } for  pid=21668 comm="asterisk" name="asterisk.ctl" dev=dm-3 ino=63 scontext=root:staff_r:staff_t tcontext=system_u:object_r:asterisk_var_run_t tclass=sock_file
type=AVC msg=audit(1313471051.887:394): avc:  denied  { connectto } for  pid=21668 comm="asterisk" path="/var/run/asterisk/asterisk.ctl" scontext=root:staff_r:staff_t tcontext=system_u:system_r:asterisk_t tclass=unix_stream_socket
type=SYSCALL msg=audit(1313471051.887:394): arch=c000003e syscall=42 success=yes exit=0 a0=4 a1=71a19026b480 a2=6e a3=6c0431b7ee90 items=0 ppid=18331 pid=21668 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4 comm="asterisk" exe="/usr/sbin/asterisk" subj=root:staff_r:staff_t key=(null)
type=AVC msg=audit(1313471051.888:395): avc:  denied  { accept } for  pid=1559 comm="asterisk" path="/var/run/asterisk/asterisk.ctl" scontext=system_u:system_r:asterisk_t tcontext=system_u:system_r:asterisk_t tclass=unix_stream_socket


This is the output of calling asterisk (nothing in audit or message log)

pbx ~ # /usr/sbin/asterisk -r
-bash: /usr/sbin/asterisk: Permission denied
pbx ~ #
Comment 3 Sven Vermeulen (RETIRED) gentoo-dev 2011-08-28 19:28:36 UTC 
In hardened-dev overlay
Comment 4 Sven Vermeulen (RETIRED) gentoo-dev 2011-08-29 09:25:36 UTC 
In portage tree (~arch)