when starting asterisk in selinux / hardened environement with enforcing/setenforce 1, I get permission denied message Reproducible: Always Steps to Reproduce: 1.selinux -> setenforce 1 2.asterisk -r or /etc/init.d/asterisk start/stop Actual Results: permission denied
emerge --info http://bpaste.net/show/70244/
Created attachment 335894 [details, diff] Add asterisk_exec interface, add it to asterisk admin mmmm, the init script should work without asterisk_exec(sysadm_t): there is asterisk_admin(sysadm_t, sysadm_r) in roles/sysadm.te and asterisk_admin gives the rights to sysadm_t to run the init script. Does your /etc/init.d/asterisk have the correct context (system_u:object_r:asterisk_initrc_exec_t ) ? I can confirm that 'asterisk -r' doesn't work: [207086.025116] type=1400 audit(1358418922.444:456): avc: denied { execute } for pid=23640 comm="zsh" name="asterisk" dev="sda1" ino=38941 scontext=staff_u:sysadm_r:sysadm_t tcontext=system_u:object_r:asterisk_exec_t tclass=file Here is a simple patch against the 2.20120725-r9 policy that make it works on my system. Not sure if it really need a whole interface, but perhaps someone could want to uncouple it from asterisk_admin. I'm not using this interface like that, I simply use a asterisk_fix module with this interface in asterisk_fix.if and the following asterisk_fix.te: ''' policy_module(asterisk_fix,1.0.0) require { type sysadm_t; } asterisk_exec(sysadm_t) '''
Context seems to be correct. ls -Z /etc/init.d/asterisk system_u:object_r:asterisk_initrc_exec_t /etc/init.d/asterisk But when I setenforce 1 and try to start/stop asterisk service it gives out: /etc/init.d/asterisk stop bash: /etc/init.d/asterisk: /sbin/runscript: bad interpreter: Permission denied May I ask for some help on how to test the provided fix?
mmm, strange. It definitely works here :'( What version of the selinux policy are you using ? Do you see any related deny in you avc/kernel logs ? Could you stop asterisk in non enforcing mode, then try starting it in enforcing and look for denies just during this start ? Could you run 'semanage dontaudit off' and 'semodule -DB' before testing ? (It enables more verbose logs, you can turn it back by running 'semanage dontaudit on' and 'semodule -B') For applying the fix (that should enables you to run asterisk -r): - Create a new directory (e.g asterisk_fix), enter it - Create a new file, asterisk_fix.te and put the following inside: ''' policy_module(fix_asterisk,1.0.0) require { type asterisk_exec_t, sysadm_t; } can_exec(sysadm_t, asterisk_exec_t); ''' - Run 'make -f /usr/share/selinux/strict/include/Makefile fix_asterisk.pp' to compile a new policy (if you are not under strict selinux, replace strict by the type your are using (targeted, mls or mcs)). - Run 'semodule -i fix_asterisk.pp' to install it PS: if you are running asterisk under a hardened system, you may be interested by bug 445176: https://bugs.gentoo.org/show_bug.cgi?id=445176
Created attachment 336336 [details, diff] Add asterisk_exec interface, add it to asterisk admin Small typo (I though of creating a 'asterisk_run' interface, which also needs a role, but it seems it's not necessary to run in the asterisk_t domain for only 'asterisk -r' (Running in asterisk_t results in more problems as asterisk_t doesn't have the right to use users' tty))
You shouldn't get the permission denied issue when calling asterisk through the init script (but check to make sure that the init script is labeled asterisk_initrc_exec_t). However, the request for providing the ability to call asterisk directly for an asterisk administrator is equally valid (lots of asterisk documentation uses direct calls towards asterisk).
It's in the repository and will be in rev 12
this is how fedora did it, I would recommend doing something similar, to track upstream. http://pkgs.fedoraproject.org/cgit/selinux-policy.git/tree/asterisk.if?h=master_contrib#n32
emerge selinux-asterisk --search sec-policy/selinux-asterisk Latest version available: 2.20120725-r9 Latest version installed: 2.20120725-r9 Size of files: 996 kB Homepage: http://www.gentoo.org/proj/en/hardened/selinux/ Description: SELinux policy for asterisk License: GPL-2 /etc/init.d/asterisk stop semanage dontaudit off semodule -DB setenforce 1 getenforce: enforcing ls -Z /etc/init.d/asterisk system_u:object_r:asterisk_initrc_exec_t /etc/init.d/asterisk /etc/init.d/asterisk start bash: /etc/init.d/asterisk: /sbin/runscript: bad interpreter: Permission denied Maybe I have a general problem with my selinux/hardened setup? It's my first try on enabling selinux and hardened. With enforced mode, I cannot make calls with my softphone. It connects to the asterisk server but dialing anything, for example the echotest fails too. Following the avc.log when trying to start asterisk enforced: http://bpaste.net/show/71921/ For the fix I tried: mkdir /usr/share/selinux/strict/include/asterisk_fix cd /usr/share/selinux/strict/include/asterisk_fix nano asterisk_fix.te inserted: policy_module(fix_asterisk,1.0.0) require { type asterisk_exec_t, sysadm_t; } can_exec(sysadm_t, asterisk_exec_t); and saved file make -f /usr/share/selinux/strict/include/Makefile fix_asterisk.pp make: *** No rule to make target `fix_asterisk.pp'. Stop. I guess, I will try to get some help on irc #selinux channel, to further debug my selinux setup, and wait till the patch gets in tree? Thank you for helping me :)
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=blobdiff;f=policy/modules/contrib/asterisk.if;h=744473ce086de3d8a73a9f2a6eccb649d0aa45a8;hp=7268a04993c2d0651dae2ee7a764c68c99f17e7e;hb=HEAD;hpb=53016a6a32af36dab10406f2b0aaf7862300dbe3 is what is committed to the repository (and will be in the tree when you notice that the -r12 policies are available).
great work. Thanks for your great support. Specialthank for Vincent :)
rev 12 in main tree, ~arch'ed
stabilized
