[refpolicy] [PATCH 0/5] Updates for asterisk domain

[refpolicy] [PATCH 0/5] Updates for asterisk domain

[Sven Vermeulen]

The following set of patches updates the asterisk_t domain definition:

1. Add "chown" capability to asterisk domain
2. Allow asterisk to listen/accept on its control socket
3. Allow asterisk read access to /dev/random
4. Add interfaces to manage attributes of asterisk log and pid files
5. Allow initrc to manage asterisk log and pid files

Wkr,
	Sven Vermeulen

[refpolicy] [PATCH 1/5] Allow asterisk to chown its own /var/run/asterisk directory

[Sven Vermeulen]

During startup, asterisk verifies the ownership of its run-directory and, if not set correctly, changes it accordingly.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 asterisk.te |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/asterisk.te b/asterisk.te
index 22d7cdf..c702879 100644
--- a/asterisk.te
+++ b/asterisk.te
@@ -40,7 +40,7 @@ files_pid_file(asterisk_var_run_t)
 #
 
 # dac_override for /var/run/asterisk
-allow asterisk_t self:capability { dac_override setgid setuid sys_nice net_admin };
+allow asterisk_t self:capability { dac_override setgid setuid sys_nice net_admin chown };
 dontaudit asterisk_t self:capability sys_tty_config;
 allow asterisk_t self:process { getsched setsched signal_perms getcap setcap };
 allow asterisk_t self:fifo_file rw_fifo_file_perms;
-- 
1.7.3.4

[refpolicy] [PATCH 2/5] Allow asterisk to listen on its control socket

[Sven Vermeulen]

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 asterisk.te |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/asterisk.te b/asterisk.te
index c702879..aac5a41 100644
--- a/asterisk.te
+++ b/asterisk.te
@@ -46,7 +46,7 @@ allow asterisk_t self:process { getsched setsched signal_perms getcap setcap };
 allow asterisk_t self:fifo_file rw_fifo_file_perms;
 allow asterisk_t self:sem create_sem_perms;
 allow asterisk_t self:shm create_shm_perms;
-allow asterisk_t self:unix_stream_socket connectto;
+allow asterisk_t self:unix_stream_socket { connectto listen accept };
 allow asterisk_t self:tcp_socket create_stream_socket_perms;
 allow asterisk_t self:udp_socket create_socket_perms;
 
-- 
1.7.3.4

[refpolicy] [PATCH 3/5] Asterisk requires access to /dev/random too

[Sven Vermeulen]

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 asterisk.te |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/asterisk.te b/asterisk.te
index aac5a41..dda6c5e 100644
--- a/asterisk.te
+++ b/asterisk.te
@@ -117,6 +117,7 @@ dev_rw_generic_usb_dev(asterisk_t)
 dev_read_sysfs(asterisk_t)
 dev_read_sound(asterisk_t)
 dev_write_sound(asterisk_t)
+dev_read_rand(asterisk_t)
 dev_read_urand(asterisk_t)
 
 domain_use_interactive_fds(asterisk_t)
-- 
1.7.3.4

[refpolicy] [PATCH 4/5] Add interfaces to manage attributes of asterisk log and pid files

[Sven Vermeulen]

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 asterisk.if |   43 +++++++++++++++++++++++++++++++++++++++++++
 1 files changed, 43 insertions(+), 0 deletions(-)

diff --git a/asterisk.if b/asterisk.if
index 8b8143e..bd6273f 100644
--- a/asterisk.if
+++ b/asterisk.if
@@ -90,3 +90,46 @@ interface(`asterisk_admin',`
 	files_list_pids($1)
 	admin_pattern($1, asterisk_var_run_t)
 ')
+
+#######################################
+## <summary>
+##   Allow changing the attributes of the asterisk log files and directories
+## </summary>
+## <param name="domain">
+##   <summary>
+##     Domain allowed to change the attributes of the asterisk log files and
+##     directories
+##   </summary>
+## </param>
+#
+interface(`asterisk_setattr_logs',`
+	gen_require(`
+		type asterisk_log_t;
+	')
+
+	setattr_files_pattern($1, asterisk_log_t, asterisk_log_t)
+	setattr_dirs_pattern($1, asterisk_log_t, asterisk_log_t)
+
+	logging_search_logs($1)
+')
+
+#######################################
+## <summary>
+##   Allow changing the attributes of the asterisk PID files
+## </summary>
+## <param name="domain">
+##   <summary>
+##     Domain allowed to change the attributes of the asterisk PID files
+##   </summary>
+## </param>
+#
+interface(`asterisk_setattr_pid_files',`
+	gen_require(`
+		type asterisk_var_run_t;
+	')
+
+	setattr_files_pattern($1, asterisk_var_run_t, asterisk_var_run_t)
+	setattr_dirs_pattern($1, asterisk_var_run_t, asterisk_var_run_t)
+
+	files_search_pids($1)
+')
-- 
1.7.3.4

[refpolicy] [PATCH 5/5] Allow initrc to manage asterisk log and pid file attributes

[Sven Vermeulen]

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/system/init.te |    5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index b7fcbe3..dd37cf1 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -571,6 +571,11 @@ optional_policy(`
 ')
 
 optional_policy(`
+	asterisk_setattr_logs(initrc_t)
+	asterisk_setattr_pid_files(initrc_t)
+')
+
+optional_policy(`
 	bind_read_config(initrc_t)
 
 	# for chmod in start script
-- 
1.7.3.4

[refpolicy] [PATCH 1/5] Allow asterisk to chown its own /var/run/asterisk directory

[Christopher J. PeBenito]

On 03/26/12 14:49, Sven Vermeulen wrote:
> During startup, asterisk verifies the ownership of its run-directory and, if not set correctly, changes it accordingly.
> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  asterisk.te |    2 +-
>  1 files changed, 1 insertions(+), 1 deletions(-)
> 
> diff --git a/asterisk.te b/asterisk.te
> index 22d7cdf..c702879 100644
> --- a/asterisk.te
> +++ b/asterisk.te
> @@ -40,7 +40,7 @@ files_pid_file(asterisk_var_run_t)
>  #
>  
>  # dac_override for /var/run/asterisk
> -allow asterisk_t self:capability { dac_override setgid setuid sys_nice net_admin };
> +allow asterisk_t self:capability { dac_override setgid setuid sys_nice net_admin chown };
>  dontaudit asterisk_t self:capability sys_tty_config;
>  allow asterisk_t self:process { getsched setsched signal_perms getcap setcap };
>  allow asterisk_t self:fifo_file rw_fifo_file_perms;

Merged.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [PATCH 2/5] Allow asterisk to listen on its control socket

[Christopher J. PeBenito]

On 03/26/12 14:49, Sven Vermeulen wrote:
> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  asterisk.te |    2 +-
>  1 files changed, 1 insertions(+), 1 deletions(-)
> 
> diff --git a/asterisk.te b/asterisk.te
> index c702879..aac5a41 100644
> --- a/asterisk.te
> +++ b/asterisk.te
> @@ -46,7 +46,7 @@ allow asterisk_t self:process { getsched setsched signal_perms getcap setcap };
>  allow asterisk_t self:fifo_file rw_fifo_file_perms;
>  allow asterisk_t self:sem create_sem_perms;
>  allow asterisk_t self:shm create_shm_perms;
> -allow asterisk_t self:unix_stream_socket connectto;
> +allow asterisk_t self:unix_stream_socket { connectto listen accept };
>  allow asterisk_t self:tcp_socket create_stream_socket_perms;
>  allow asterisk_t self:udp_socket create_socket_perms;
  
Merged.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [PATCH 3/5] Asterisk requires access to /dev/random too

[Christopher J. PeBenito]

On 03/26/12 14:50, Sven Vermeulen wrote:
> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  asterisk.te |    1 +
>  1 files changed, 1 insertions(+), 0 deletions(-)
> 
> diff --git a/asterisk.te b/asterisk.te
> index aac5a41..dda6c5e 100644
> --- a/asterisk.te
> +++ b/asterisk.te
> @@ -117,6 +117,7 @@ dev_rw_generic_usb_dev(asterisk_t)
>  dev_read_sysfs(asterisk_t)
>  dev_read_sound(asterisk_t)
>  dev_write_sound(asterisk_t)
> +dev_read_rand(asterisk_t)
>  dev_read_urand(asterisk_t)
>  
>  domain_use_interactive_fds(asterisk_t)

Merged.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [PATCH 4/5] Add interfaces to manage attributes of asterisk log and pid files

[Christopher J. PeBenito]

On 03/26/12 14:50, Sven Vermeulen wrote:
> 
> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  asterisk.if |   43 +++++++++++++++++++++++++++++++++++++++++++
>  1 files changed, 43 insertions(+), 0 deletions(-)

Merged.  Fixed whitespace and rearranged interfaces.

> diff --git a/asterisk.if b/asterisk.if
> index 8b8143e..bd6273f 100644
> --- a/asterisk.if
> +++ b/asterisk.if
> @@ -90,3 +90,46 @@ interface(`asterisk_admin',`
>  	files_list_pids($1)
>  	admin_pattern($1, asterisk_var_run_t)
>  ')
> +
> +#######################################
> +## <summary>
> +##   Allow changing the attributes of the asterisk log files and directories
> +## </summary>
> +## <param name="domain">
> +##   <summary>
> +##     Domain allowed to change the attributes of the asterisk log files and
> +##     directories
> +##   </summary>
> +## </param>
> +#
> +interface(`asterisk_setattr_logs',`
> +	gen_require(`
> +		type asterisk_log_t;
> +	')
> +
> +	setattr_files_pattern($1, asterisk_log_t, asterisk_log_t)
> +	setattr_dirs_pattern($1, asterisk_log_t, asterisk_log_t)
> +
> +	logging_search_logs($1)
> +')
> +
> +#######################################
> +## <summary>
> +##   Allow changing the attributes of the asterisk PID files
> +## </summary>
> +## <param name="domain">
> +##   <summary>
> +##     Domain allowed to change the attributes of the asterisk PID files
> +##   </summary>
> +## </param>
> +#
> +interface(`asterisk_setattr_pid_files',`
> +	gen_require(`
> +		type asterisk_var_run_t;
> +	')
> +
> +	setattr_files_pattern($1, asterisk_var_run_t, asterisk_var_run_t)
> +	setattr_dirs_pattern($1, asterisk_var_run_t, asterisk_var_run_t)
> +
> +	files_search_pids($1)
> +')


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [PATCH 5/5] Allow initrc to manage asterisk log and pid file attributes

[Christopher J. PeBenito]

On 03/26/12 14:50, Sven Vermeulen wrote:
> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  policy/modules/system/init.te |    5 +++++
>  1 files changed, 5 insertions(+), 0 deletions(-)
> 
> diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
> index b7fcbe3..dd37cf1 100644
> --- a/policy/modules/system/init.te
> +++ b/policy/modules/system/init.te
> @@ -571,6 +571,11 @@ optional_policy(`
>  ')
>  
>  optional_policy(`
> +	asterisk_setattr_logs(initrc_t)
> +	asterisk_setattr_pid_files(initrc_t)
> +')
> +
> +optional_policy(`
>  	bind_read_config(initrc_t)
>  
>  	# for chmod in start script

Merged.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com