* [refpolicy] [PATCH v2 0/2] Asterisk administration update
@ 2011-10-03 19:22 Sven Vermeulen
2011-10-03 19:24 ` [refpolicy] [PATCH v2 1/2] Asterisk admin must be able to run 'asterisk -r' Sven Vermeulen
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Sven Vermeulen @ 2011-10-03 19:22 UTC (permalink / raw)
To: refpolicy
Two small patches, deprecating the previous attempt to get "asterisk -r"
working on a system. As per the feedback received from Dominick Grift, this
patch (1.) marks the "asterisk" binary as an application_exec_type so it can be
executed by user domains, and (2.) assigns the asterisk_stream_connect
privilege to the sysadm_t domain.
The latter part is not mandatory - I'm not sure if it is needed to give
sysadm this privilege (if the purpose of the policy is to support services
as-is, then yes, but if you want to keep it minimalistic, then no). If not,
just ignore this second patch-part then ;-)
Wkr,
Sven Vermeulen
^ permalink raw reply [flat|nested] 4+ messages in thread
* [refpolicy] [PATCH v2 1/2] Asterisk admin must be able to run 'asterisk -r'
2011-10-03 19:22 [refpolicy] [PATCH v2 0/2] Asterisk administration update Sven Vermeulen
@ 2011-10-03 19:24 ` Sven Vermeulen
2011-10-03 19:24 ` [refpolicy] [PATCH v2 2/2] Allow sysadm to interact with asterisk Sven Vermeulen
2011-10-25 13:51 ` [refpolicy] [PATCH v2 0/2] Asterisk administration update Christopher J. PeBenito
2 siblings, 0 replies; 4+ messages in thread
From: Sven Vermeulen @ 2011-10-03 19:24 UTC (permalink / raw)
To: refpolicy
One of the most frequently ran commands by asterisk administrators is to
run 'asterisk -r' to manipulate (through the asterisk socket) the
asterisk daemon (sort-of asterisk-specific shell support).
We mark the asterisk_exec_t type as an application_exec_type so that it
can be executed by the user domains.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
asterisk.te | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/asterisk.te b/asterisk.te
index b3b0176..6f6c42c 100644
--- a/asterisk.te
+++ b/asterisk.te
@@ -8,6 +8,7 @@ policy_module(asterisk, 1.9.0)
type asterisk_t;
type asterisk_exec_t;
init_daemon_domain(asterisk_t, asterisk_exec_t)
+application_executable_file(asterisk_exec_t)
type asterisk_etc_t;
files_config_file(asterisk_etc_t)
--
1.7.3.4
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [refpolicy] [PATCH v2 2/2] Allow sysadm to interact with asterisk
2011-10-03 19:22 [refpolicy] [PATCH v2 0/2] Asterisk administration update Sven Vermeulen
2011-10-03 19:24 ` [refpolicy] [PATCH v2 1/2] Asterisk admin must be able to run 'asterisk -r' Sven Vermeulen
@ 2011-10-03 19:24 ` Sven Vermeulen
2011-10-25 13:51 ` [refpolicy] [PATCH v2 0/2] Asterisk administration update Christopher J. PeBenito
2 siblings, 0 replies; 4+ messages in thread
From: Sven Vermeulen @ 2011-10-03 19:24 UTC (permalink / raw)
To: refpolicy
When administering asterisk, one often ran command is "asterisk -r"
which yields the asterisk CLI (when the asterisk server is running). To
be able to run this, you need asterisk_stream_connect privileges.
Assign these privileges to the sysadm_r
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
policy/modules/roles/sysadm.te | 4 ++++
1 files changed, 4 insertions(+), 0 deletions(-)
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 954417f..7a5c40b 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -86,6 +86,10 @@ optional_policy(`
')
optional_policy(`
+ asterisk_stream_connect(sysadm_t)
+')
+
+optional_policy(`
auditadm_role_change(sysadm_r)
')
--
1.7.3.4
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [refpolicy] [PATCH v2 0/2] Asterisk administration update
2011-10-03 19:22 [refpolicy] [PATCH v2 0/2] Asterisk administration update Sven Vermeulen
2011-10-03 19:24 ` [refpolicy] [PATCH v2 1/2] Asterisk admin must be able to run 'asterisk -r' Sven Vermeulen
2011-10-03 19:24 ` [refpolicy] [PATCH v2 2/2] Allow sysadm to interact with asterisk Sven Vermeulen
@ 2011-10-25 13:51 ` Christopher J. PeBenito
2 siblings, 0 replies; 4+ messages in thread
From: Christopher J. PeBenito @ 2011-10-25 13:51 UTC (permalink / raw)
To: refpolicy
On 10/03/11 15:22, Sven Vermeulen wrote:
> Two small patches, deprecating the previous attempt to get "asterisk -r"
> working on a system. As per the feedback received from Dominick Grift, this
> patch (1.) marks the "asterisk" binary as an application_exec_type so it can be
> executed by user domains, and (2.) assigns the asterisk_stream_connect
> privilege to the sysadm_t domain.
>
> The latter part is not mandatory - I'm not sure if it is needed to give
> sysadm this privilege (if the purpose of the policy is to support services
> as-is, then yes, but if you want to keep it minimalistic, then no). If not,
> just ignore this second patch-part then ;-)
This set is merged.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2011-10-25 13:51 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-10-03 19:22 [refpolicy] [PATCH v2 0/2] Asterisk administration update Sven Vermeulen
2011-10-03 19:24 ` [refpolicy] [PATCH v2 1/2] Asterisk admin must be able to run 'asterisk -r' Sven Vermeulen
2011-10-03 19:24 ` [refpolicy] [PATCH v2 2/2] Allow sysadm to interact with asterisk Sven Vermeulen
2011-10-25 13:51 ` [refpolicy] [PATCH v2 0/2] Asterisk administration update Christopher J. PeBenito
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.