ada61e1529
asterisk_manage_lib_files(logrotate_t)
asterisk_exec(logrotate_t)
Needs net_admin
Drops capabilities
connects to unix_stream
execs itself
Requests kernel load modules
Execs shells
Connects to postgresql and snmp ports
Reads urand and generic usb devices
Has mysql and postgresql back ends
sends mail
93 lines
2.0 KiB
Plaintext
93 lines
2.0 KiB
Plaintext
## <summary>Asterisk IP telephony server</summary>
|
|
|
|
######################################
|
|
## <summary>
|
|
## Execute asterisk in the asterisk domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`asterisk_domtrans',`
|
|
gen_require(`
|
|
type asterisk_t, asterisk_exec_t;
|
|
')
|
|
|
|
corecmd_search_bin($1)
|
|
domtrans_pattern($1, asterisk_exec_t, asterisk_t)
|
|
')
|
|
|
|
#####################################
|
|
## <summary>
|
|
## Connect to asterisk over a unix domain
|
|
## stream socket.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`asterisk_stream_connect',`
|
|
gen_require(`
|
|
type asterisk_t, asterisk_var_run_t;
|
|
')
|
|
|
|
files_search_pids($1)
|
|
stream_connect_pattern($1, asterisk_var_run_t, asterisk_var_run_t, asterisk_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## All of the rules required to administrate
|
|
## an asterisk environment
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <param name="role">
|
|
## <summary>
|
|
## The role to be allowed to manage the asterisk domain.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`asterisk_admin',`
|
|
gen_require(`
|
|
type asterisk_t, asterisk_var_run_t, asterisk_spool_t;
|
|
type asterisk_etc_t, asterisk_tmp_t, asterisk_log_t;
|
|
type asterisk_var_lib_t;
|
|
type asterisk_initrc_exec_t;
|
|
')
|
|
|
|
allow $1 asterisk_t:process { ptrace signal_perms getattr };
|
|
ps_process_pattern($1, asterisk_t)
|
|
|
|
init_labeled_script_domtrans($1, asterisk_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 asterisk_initrc_exec_t system_r;
|
|
allow $2 system_r;
|
|
|
|
files_list_tmp($1)
|
|
admin_pattern($1, asterisk_tmp_t)
|
|
|
|
files_list_etc($1)
|
|
admin_pattern($1, asterisk_etc_t)
|
|
|
|
logging_list_logs($1)
|
|
admin_pattern($1, asterisk_log_t)
|
|
|
|
files_list_spool($1)
|
|
admin_pattern($1, asterisk_spool_t)
|
|
|
|
files_list_var_lib($1)
|
|
admin_pattern($1, asterisk_var_lib_t)
|
|
|
|
files_list_pids($1)
|
|
admin_pattern($1, asterisk_var_run_t)
|
|
')
|