Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 441626 - net-misc/asterisk-1.8.15.1 with sec-policy/selinux-asterisk-2.20120725-r6: enable voicemail
Summary: net-misc/asterisk-1.8.15.1 with sec-policy/selinux-asterisk-2.20120725-r6: en...
Status: VERIFIED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: SELinux (show other bugs)
Hardware: All Linux
: Normal enhancement (vote)
Assignee: SE Linux Bugs
URL:
Whiteboard: sec-policy r8
Keywords:
Depends on:
Blocks:
 
Reported: 2012-11-03 20:59 UTC by Vincent Brillault
Modified: 2012-12-13 10:15 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments
Inotify logs of /tmp /var/tmp/ /var/spool/asterisk/voicemail during a voice message (inotify.log,4.91 KB, text/plain)
2012-11-16 00:07 UTC, Vincent Brillault
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Vincent Brillault 2012-11-03 20:59:30 UTC
The current policy doesn't allow asterisk with the voicemail module to send mails containing audio messages. After some research, only this rule is needed:
allow system_mail_t asterisk_tmp_t:file { getattr read };

There is still some strange AVCs occurring at the same time, but I don't know their impact:

avc:  denied  { use } for  pid=29313 comm="sendmail" path="/dev/null" dev="devtmpfs" ino=1572 path="/dev/null" dev="devtmpfs" ino=1572 ipaddr=194.29.25.170 scontext=staff_u:system_r:system_mail_t tcontext=staff_u:system_r:initrc_t tclass=fd

avc:  denied  { use } for  pid=29313 comm="sendmail" path="pipe:[3947281]" dev="pipefs" ino=3947281 path="pipe:[3947281]" dev="pipefs" ino=3947281 ipaddr=194.29.25.170 scontext=staff_u:system_r:system_mail_t tcontext=staff_u:system_r:initrc_t tclass=fd
Comment 1 Sven Vermeulen (RETIRED) gentoo-dev 2012-11-10 17:16:28 UTC
Can you elaborate on the asterisk_tmp_t type here? I guess asterisk creates a temporary file for the voicemail stuff (hence the type); is there any possibility of having a differentiation between its "regular" tmp files, and those that are to be sent by the mailer daemon?

If not, you probably only need to add "mta_system_content(asterisk_tmp_t)", which is telling SELinux that the asterisk_tmp_t type is used as input files for system mailings.
Comment 2 Vincent Brillault 2012-11-16 00:07:17 UTC
Created attachment 329632 [details]
Inotify logs of /tmp /var/tmp/ /var/spool/asterisk/voicemail during a voice message

After some checks, it appears that asterisk create a temp file /tmp/astmail-XXXXXX (at least) before transmiting it to sendmail. The name of the temp file is hardcoded in the asterisk sources (in app_voicemail.c) and partially random (the XXXXX part), thus, as asterisk is probably using the /tmp/ for other things, using a filetrans_pattern is imposible, isn't it ?
Comment 3 Sven Vermeulen (RETIRED) gentoo-dev 2012-11-16 14:15:09 UTC
Yes, looks like mta_system_content(asterisk_tmp_t) is the best option here.
Comment 4 Vincent Brillault 2012-11-17 15:43:17 UTC
Adding mta_system_content(asterisk_tmp_t) works :)

It a shame we cannot separate it from other asterisk tmp content :'(
As a result, I'm not sure if it is a good idea to add it to the default policy... Perhaps with a boolean asterisk_use_voicemail or something similar ?
Comment 5 Sven Vermeulen (RETIRED) gentoo-dev 2012-11-17 17:24:43 UTC
I'm not sure it is that bad. What other temporary files does asterisk use and that wouldn't be protected with the regular DAC (user/group ownership) stuff?

Anyway, we cannot make this optional, unless we drop the attribute approach and allow it directly (so with the read_files_pattern stuff) as a "typeattribute <type> <attribute>" call isn't allowed in a tunable policy (I know, stupid right?)
Comment 6 Sven Vermeulen (RETIRED) gentoo-dev 2012-11-18 08:31:39 UTC
Added to policy
Comment 7 Sven Vermeulen (RETIRED) gentoo-dev 2012-11-23 21:42:57 UTC
r8 in hardened-dev overlay
Comment 8 Sven Vermeulen (RETIRED) gentoo-dev 2012-12-03 09:37:24 UTC
r8 is now in main tree, ~arch
Comment 9 Sven Vermeulen (RETIRED) gentoo-dev 2012-12-13 10:15:04 UTC
r8 is now stable