ada61e1529
asterisk_manage_lib_files(logrotate_t) asterisk_exec(logrotate_t) Needs net_admin Drops capabilities connects to unix_stream execs itself Requests kernel load modules Execs shells Connects to postgresql and snmp ports Reads urand and generic usb devices Has mysql and postgresql back ends sends mail
166 lines
4.9 KiB
Plaintext
166 lines
4.9 KiB
Plaintext
|
|
policy_module(asterisk, 1.7.2)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
type asterisk_t;
|
|
type asterisk_exec_t;
|
|
init_daemon_domain(asterisk_t, asterisk_exec_t)
|
|
|
|
type asterisk_etc_t;
|
|
files_config_file(asterisk_etc_t)
|
|
|
|
type asterisk_initrc_exec_t;
|
|
init_script_file(asterisk_initrc_exec_t)
|
|
|
|
type asterisk_log_t;
|
|
logging_log_file(asterisk_log_t)
|
|
|
|
type asterisk_spool_t;
|
|
files_type(asterisk_spool_t)
|
|
|
|
type asterisk_tmp_t;
|
|
files_tmp_file(asterisk_tmp_t)
|
|
|
|
type asterisk_tmpfs_t;
|
|
files_tmpfs_file(asterisk_tmpfs_t)
|
|
|
|
type asterisk_var_lib_t;
|
|
files_type(asterisk_var_lib_t)
|
|
|
|
type asterisk_var_run_t;
|
|
files_pid_file(asterisk_var_run_t)
|
|
|
|
########################################
|
|
#
|
|
# Local policy
|
|
#
|
|
|
|
# dac_override for /var/run/asterisk
|
|
allow asterisk_t self:capability { dac_override setgid setuid sys_nice net_admin };
|
|
dontaudit asterisk_t self:capability sys_tty_config;
|
|
allow asterisk_t self:process { getsched setsched signal_perms getcap setcap };
|
|
allow asterisk_t self:fifo_file rw_fifo_file_perms;
|
|
allow asterisk_t self:sem create_sem_perms;
|
|
allow asterisk_t self:shm create_shm_perms;
|
|
allow asterisk_t self:unix_stream_socket connectto;
|
|
allow asterisk_t self:tcp_socket create_stream_socket_perms;
|
|
allow asterisk_t self:udp_socket create_socket_perms;
|
|
|
|
allow asterisk_t asterisk_etc_t:dir list_dir_perms;
|
|
read_files_pattern(asterisk_t, asterisk_etc_t, asterisk_etc_t)
|
|
read_lnk_files_pattern(asterisk_t, asterisk_etc_t, asterisk_etc_t)
|
|
files_search_etc(asterisk_t)
|
|
|
|
can_exec(asterisk_t, asterisk_exec_t)
|
|
|
|
manage_files_pattern(asterisk_t, asterisk_log_t, asterisk_log_t)
|
|
logging_log_filetrans(asterisk_t, asterisk_log_t, { file dir })
|
|
|
|
manage_dirs_pattern(asterisk_t, asterisk_spool_t, asterisk_spool_t)
|
|
manage_files_pattern(asterisk_t, asterisk_spool_t, asterisk_spool_t)
|
|
manage_lnk_files_pattern(asterisk_t, asterisk_spool_t, asterisk_spool_t)
|
|
|
|
manage_dirs_pattern(asterisk_t, asterisk_tmp_t, asterisk_tmp_t)
|
|
manage_files_pattern(asterisk_t, asterisk_tmp_t, asterisk_tmp_t)
|
|
files_tmp_filetrans(asterisk_t, asterisk_tmp_t, { file dir })
|
|
|
|
manage_files_pattern(asterisk_t, asterisk_tmpfs_t, asterisk_tmpfs_t)
|
|
manage_lnk_files_pattern(asterisk_t, asterisk_tmpfs_t, asterisk_tmpfs_t)
|
|
manage_fifo_files_pattern(asterisk_t, asterisk_tmpfs_t, asterisk_tmpfs_t)
|
|
manage_sock_files_pattern(asterisk_t, asterisk_tmpfs_t, asterisk_tmpfs_t)
|
|
fs_tmpfs_filetrans(asterisk_t, asterisk_tmpfs_t, { dir file lnk_file sock_file fifo_file })
|
|
|
|
manage_files_pattern(asterisk_t, asterisk_var_lib_t, asterisk_var_lib_t)
|
|
files_var_lib_filetrans(asterisk_t, asterisk_var_lib_t, file)
|
|
|
|
manage_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t)
|
|
manage_fifo_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t)
|
|
manage_sock_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t)
|
|
files_pid_filetrans(asterisk_t, asterisk_var_run_t, file)
|
|
|
|
kernel_read_system_state(asterisk_t)
|
|
kernel_read_kernel_sysctls(asterisk_t)
|
|
kernel_request_load_module(asterisk_t)
|
|
|
|
corecmd_exec_bin(asterisk_t)
|
|
corecmd_exec_shell(asterisk_t)
|
|
|
|
corenet_all_recvfrom_unlabeled(asterisk_t)
|
|
corenet_all_recvfrom_netlabel(asterisk_t)
|
|
corenet_tcp_sendrecv_generic_if(asterisk_t)
|
|
corenet_udp_sendrecv_generic_if(asterisk_t)
|
|
corenet_tcp_sendrecv_generic_node(asterisk_t)
|
|
corenet_udp_sendrecv_generic_node(asterisk_t)
|
|
corenet_tcp_sendrecv_all_ports(asterisk_t)
|
|
corenet_udp_sendrecv_all_ports(asterisk_t)
|
|
corenet_tcp_bind_generic_node(asterisk_t)
|
|
corenet_udp_bind_generic_node(asterisk_t)
|
|
corenet_tcp_bind_asterisk_port(asterisk_t)
|
|
corenet_udp_bind_asterisk_port(asterisk_t)
|
|
corenet_udp_bind_sip_port(asterisk_t)
|
|
corenet_sendrecv_asterisk_server_packets(asterisk_t)
|
|
# for VOIP voice channels.
|
|
corenet_tcp_bind_generic_port(asterisk_t)
|
|
corenet_udp_bind_generic_port(asterisk_t)
|
|
corenet_dontaudit_udp_bind_all_ports(asterisk_t)
|
|
corenet_sendrecv_generic_server_packets(asterisk_t)
|
|
corenet_tcp_connect_postgresql_port(asterisk_t)
|
|
corenet_tcp_connect_snmp_port(asterisk_t)
|
|
|
|
dev_rw_generic_usb_dev(asterisk_t)
|
|
dev_read_sysfs(asterisk_t)
|
|
dev_read_sound(asterisk_t)
|
|
dev_write_sound(asterisk_t)
|
|
dev_read_urand(asterisk_t)
|
|
|
|
domain_use_interactive_fds(asterisk_t)
|
|
|
|
files_read_etc_files(asterisk_t)
|
|
files_search_spool(asterisk_t)
|
|
# demo files installed in /usr/share/asterisk/sounds/demo-instruct.gsm
|
|
# are labeled usr_t
|
|
files_read_usr_files(asterisk_t)
|
|
|
|
fs_getattr_all_fs(asterisk_t)
|
|
fs_list_inotifyfs(asterisk_t)
|
|
fs_read_anon_inodefs_files(asterisk_t)
|
|
fs_search_auto_mountpoints(asterisk_t)
|
|
|
|
auth_use_nsswitch(asterisk_t)
|
|
|
|
logging_send_syslog_msg(asterisk_t)
|
|
|
|
miscfiles_read_localization(asterisk_t)
|
|
|
|
userdom_dontaudit_use_unpriv_user_fds(asterisk_t)
|
|
userdom_dontaudit_search_user_home_dirs(asterisk_t)
|
|
|
|
optional_policy(`
|
|
mysql_stream_connect(asterisk_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
mta_send_mail(asterisk_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
postgresql_stream_connect(asterisk_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
seutil_sigchld_newrole(asterisk_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
snmp_read_snmp_var_lib_files(asterisk_t)
|
|
snmp_stream_connect(asterisk_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
udev_read_db(asterisk_t)
|
|
')
|