#DESC Asterisk IP telephony server
#
# Author:  Russell Coker <russell@coker.com.au>
#
# X-Debian-Packages: asterisk

daemon_domain(asterisk)
allow asterisk_t asterisk_var_run_t:{ sock_file fifo_file } create_file_perms;
allow initrc_t asterisk_var_run_t:fifo_file unlink;

allow asterisk_t self:process setsched;
allow asterisk_t self:fifo_file rw_file_perms;

allow asterisk_t proc_t:file { getattr read };

allow asterisk_t { bin_t sbin_t }:dir search;
allow asterisk_t bin_t:lnk_file read;
can_exec(asterisk_t, bin_t)

etcdir_domain(asterisk)
logdir_domain(asterisk)
var_lib_domain(asterisk)

allow asterisk_t asterisk_port_t:{ udp_socket tcp_socket } name_bind;

# for VOIP voice channels.
allow asterisk_t port_t:{ udp_socket tcp_socket } name_bind;

allow asterisk_t device_t:lnk_file read;
allow asterisk_t sound_device_t:chr_file rw_file_perms;

type asterisk_spool_t, file_type, sysadmfile;
create_dir_file(asterisk_t, asterisk_spool_t)
allow asterisk_t var_spool_t:dir search;

# demo files installed in /usr/share/asterisk/sounds/demo-instruct.gsm
# are labeled usr_t
allow asterisk_t usr_t:file r_file_perms;

can_network_server(asterisk_t)
can_ypbind(asterisk_t)
allow asterisk_t etc_t:file { getattr read };

allow asterisk_t self:unix_stream_socket { connectto create_stream_socket_perms };
allow sysadm_t asterisk_t:unix_stream_socket { connectto rw_stream_socket_perms };
allow asterisk_t self:sem create_sem_perms;
allow asterisk_t self:shm create_shm_perms;

# dac_override for /var/run/asterisk
allow asterisk_t self:capability { dac_override setgid setuid sys_nice };

# for shutdown
dontaudit asterisk_t self:capability sys_tty_config;

tmpfs_domain(asterisk)
tmp_domain(asterisk)