selinux-policy/strict/domains/program/unused/asterisk.te
2005-04-29 17:45:15 +00:00

59 lines
1.7 KiB
Plaintext

#DESC Asterisk IP telephony server
#
# Author: Russell Coker <russell@coker.com.au>
#
# X-Debian-Packages: asterisk
type asterisk_port_t, port_type;
daemon_domain(asterisk)
allow asterisk_t asterisk_var_run_t:{ sock_file fifo_file } create_file_perms;
allow initrc_t asterisk_var_run_t:fifo_file unlink;
allow asterisk_t self:process setsched;
allow asterisk_t self:fifo_file rw_file_perms;
allow asterisk_t proc_t:file { getattr read };
allow asterisk_t { bin_t sbin_t }:dir search;
allow asterisk_t bin_t:lnk_file read;
can_exec(asterisk_t, bin_t)
etcdir_domain(asterisk)
logdir_domain(asterisk)
var_lib_domain(asterisk)
allow asterisk_t asterisk_port_t:{ udp_socket tcp_socket } name_bind;
# for VOIP voice channels.
allow asterisk_t port_t:{ udp_socket tcp_socket } name_bind;
allow asterisk_t device_t:lnk_file read;
allow asterisk_t sound_device_t:chr_file rw_file_perms;
type asterisk_spool_t, file_type, sysadmfile;
create_dir_file(asterisk_t, asterisk_spool_t)
allow asterisk_t var_spool_t:dir search;
# demo files installed in /usr/share/asterisk/sounds/demo-instruct.gsm
# are labeled usr_t
allow asterisk_t usr_t:file r_file_perms;
can_network_server(asterisk_t)
can_ypbind(asterisk_t)
allow asterisk_t etc_t:file { getattr read };
allow asterisk_t self:unix_stream_socket { connectto create_stream_socket_perms };
allow sysadm_t asterisk_t:unix_stream_socket { connectto rw_stream_socket_perms };
allow asterisk_t self:sem create_sem_perms;
allow asterisk_t self:shm create_shm_perms;
# dac_override for /var/run/asterisk
allow asterisk_t self:capability { dac_override setgid setuid sys_nice };
# for shutdown
dontaudit asterisk_t self:capability sys_tty_config;
tmpfs_domain(asterisk)
tmp_domain(asterisk)