Asterisk patch from Dan Walsh.
asterisk_manage_lib_files(logrotate_t) asterisk_exec(logrotate_t) Needs net_admin Drops capabilities connects to unix_stream execs itself Requests kernel load modules Execs shells Connects to postgresql and snmp ports Reads urand and generic usb devices Has mysql and postgresql back ends sends mail
This commit is contained in:
parent
24e0b9b3a4
commit
ada61e1529
@ -1,5 +1,24 @@
|
|||||||
## <summary>Asterisk IP telephony server</summary>
|
## <summary>Asterisk IP telephony server</summary>
|
||||||
|
|
||||||
|
######################################
|
||||||
|
## <summary>
|
||||||
|
## Execute asterisk in the asterisk domain.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`asterisk_domtrans',`
|
||||||
|
gen_require(`
|
||||||
|
type asterisk_t, asterisk_exec_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
corecmd_search_bin($1)
|
||||||
|
domtrans_pattern($1, asterisk_exec_t, asterisk_t)
|
||||||
|
')
|
||||||
|
|
||||||
#####################################
|
#####################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Connect to asterisk over a unix domain
|
## Connect to asterisk over a unix domain
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(asterisk, 1.7.1)
|
policy_module(asterisk, 1.7.2)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
@ -40,12 +40,13 @@ files_pid_file(asterisk_var_run_t)
|
|||||||
#
|
#
|
||||||
|
|
||||||
# dac_override for /var/run/asterisk
|
# dac_override for /var/run/asterisk
|
||||||
allow asterisk_t self:capability { dac_override setgid setuid sys_nice };
|
allow asterisk_t self:capability { dac_override setgid setuid sys_nice net_admin };
|
||||||
dontaudit asterisk_t self:capability sys_tty_config;
|
dontaudit asterisk_t self:capability sys_tty_config;
|
||||||
allow asterisk_t self:process { setsched signal_perms };
|
allow asterisk_t self:process { getsched setsched signal_perms getcap setcap };
|
||||||
allow asterisk_t self:fifo_file rw_fifo_file_perms;
|
allow asterisk_t self:fifo_file rw_fifo_file_perms;
|
||||||
allow asterisk_t self:sem create_sem_perms;
|
allow asterisk_t self:sem create_sem_perms;
|
||||||
allow asterisk_t self:shm create_shm_perms;
|
allow asterisk_t self:shm create_shm_perms;
|
||||||
|
allow asterisk_t self:unix_stream_socket connectto;
|
||||||
allow asterisk_t self:tcp_socket create_stream_socket_perms;
|
allow asterisk_t self:tcp_socket create_stream_socket_perms;
|
||||||
allow asterisk_t self:udp_socket create_socket_perms;
|
allow asterisk_t self:udp_socket create_socket_perms;
|
||||||
|
|
||||||
@ -54,6 +55,8 @@ read_files_pattern(asterisk_t, asterisk_etc_t, asterisk_etc_t)
|
|||||||
read_lnk_files_pattern(asterisk_t, asterisk_etc_t, asterisk_etc_t)
|
read_lnk_files_pattern(asterisk_t, asterisk_etc_t, asterisk_etc_t)
|
||||||
files_search_etc(asterisk_t)
|
files_search_etc(asterisk_t)
|
||||||
|
|
||||||
|
can_exec(asterisk_t, asterisk_exec_t)
|
||||||
|
|
||||||
manage_files_pattern(asterisk_t, asterisk_log_t, asterisk_log_t)
|
manage_files_pattern(asterisk_t, asterisk_log_t, asterisk_log_t)
|
||||||
logging_log_filetrans(asterisk_t, asterisk_log_t, { file dir })
|
logging_log_filetrans(asterisk_t, asterisk_log_t, { file dir })
|
||||||
|
|
||||||
@ -81,9 +84,10 @@ files_pid_filetrans(asterisk_t, asterisk_var_run_t, file)
|
|||||||
|
|
||||||
kernel_read_system_state(asterisk_t)
|
kernel_read_system_state(asterisk_t)
|
||||||
kernel_read_kernel_sysctls(asterisk_t)
|
kernel_read_kernel_sysctls(asterisk_t)
|
||||||
|
kernel_request_load_module(asterisk_t)
|
||||||
|
|
||||||
corecmd_exec_bin(asterisk_t)
|
corecmd_exec_bin(asterisk_t)
|
||||||
corecmd_search_bin(asterisk_t)
|
corecmd_exec_shell(asterisk_t)
|
||||||
|
|
||||||
corenet_all_recvfrom_unlabeled(asterisk_t)
|
corenet_all_recvfrom_unlabeled(asterisk_t)
|
||||||
corenet_all_recvfrom_netlabel(asterisk_t)
|
corenet_all_recvfrom_netlabel(asterisk_t)
|
||||||
@ -104,10 +108,14 @@ corenet_tcp_bind_generic_port(asterisk_t)
|
|||||||
corenet_udp_bind_generic_port(asterisk_t)
|
corenet_udp_bind_generic_port(asterisk_t)
|
||||||
corenet_dontaudit_udp_bind_all_ports(asterisk_t)
|
corenet_dontaudit_udp_bind_all_ports(asterisk_t)
|
||||||
corenet_sendrecv_generic_server_packets(asterisk_t)
|
corenet_sendrecv_generic_server_packets(asterisk_t)
|
||||||
|
corenet_tcp_connect_postgresql_port(asterisk_t)
|
||||||
|
corenet_tcp_connect_snmp_port(asterisk_t)
|
||||||
|
|
||||||
|
dev_rw_generic_usb_dev(asterisk_t)
|
||||||
dev_read_sysfs(asterisk_t)
|
dev_read_sysfs(asterisk_t)
|
||||||
dev_read_sound(asterisk_t)
|
dev_read_sound(asterisk_t)
|
||||||
dev_write_sound(asterisk_t)
|
dev_write_sound(asterisk_t)
|
||||||
|
dev_read_urand(asterisk_t)
|
||||||
|
|
||||||
domain_use_interactive_fds(asterisk_t)
|
domain_use_interactive_fds(asterisk_t)
|
||||||
|
|
||||||
@ -118,19 +126,29 @@ files_search_spool(asterisk_t)
|
|||||||
files_read_usr_files(asterisk_t)
|
files_read_usr_files(asterisk_t)
|
||||||
|
|
||||||
fs_getattr_all_fs(asterisk_t)
|
fs_getattr_all_fs(asterisk_t)
|
||||||
|
fs_list_inotifyfs(asterisk_t)
|
||||||
|
fs_read_anon_inodefs_files(asterisk_t)
|
||||||
fs_search_auto_mountpoints(asterisk_t)
|
fs_search_auto_mountpoints(asterisk_t)
|
||||||
|
|
||||||
|
auth_use_nsswitch(asterisk_t)
|
||||||
|
|
||||||
logging_send_syslog_msg(asterisk_t)
|
logging_send_syslog_msg(asterisk_t)
|
||||||
|
|
||||||
miscfiles_read_localization(asterisk_t)
|
miscfiles_read_localization(asterisk_t)
|
||||||
|
|
||||||
sysnet_read_config(asterisk_t)
|
|
||||||
|
|
||||||
userdom_dontaudit_use_unpriv_user_fds(asterisk_t)
|
userdom_dontaudit_use_unpriv_user_fds(asterisk_t)
|
||||||
userdom_dontaudit_search_user_home_dirs(asterisk_t)
|
userdom_dontaudit_search_user_home_dirs(asterisk_t)
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
nis_use_ypbind(asterisk_t)
|
mysql_stream_connect(asterisk_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
mta_send_mail(asterisk_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
postgresql_stream_connect(asterisk_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@ -138,10 +156,10 @@ optional_policy(`
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
udev_read_db(asterisk_t)
|
snmp_read_snmp_var_lib_files(asterisk_t)
|
||||||
|
snmp_stream_connect(asterisk_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`TODO',`
|
optional_policy(`
|
||||||
allow initrc_t asterisk_var_run_t:fifo_file unlink;
|
udev_read_db(asterisk_t)
|
||||||
allow sysadm_t asterisk_t:unix_stream_socket { connectto rw_stream_socket_perms };
|
|
||||||
')
|
')
|
||||||
|
Loading…
Reference in New Issue
Block a user