Monday, March 19, 2012

Asterisk 1.8 with SELinux on RHEL 6 / CentOS 6

Asterisk 1.8 is the current long term support (LTS) version of Asterisk. You can find it in the atrpms repository. Using atrpms requires a bit of ingenuity, since you must enable yum priorities. Here's how I've set up my yum priorities and excludes to play well with RHEL (lower priority is higher):

# /etc/yum/pluginconf.d/rhnplugin.conf
priority = 9

# files in /etc/yum/repos.d - current samba and subversion override those of RHEL
sernet-samba - 5
wandisco - 6
rhnplugin - 9
centos-base - 20, includepkgs=xfs* fftw-* glpk-*
dell-firmware-repository - 30
dell-omsa-repository - 30
rpmforge-repo - 50, exclude=hdf5*
epel - 60, exclude=dahdi*
atrpms - 70

I'm using a bunch of non-redhat packages, including Asterisk, recent subversion, octave, xfs tools, and Dell server management tools.

For Asterisk proper, I'm running an AGI caller id script, and a fax receiving script. The fax script uses cups to print. Those scripts require exceptions to the targeted SELinux policy. Note that the policy_module macro pulls in a big bunch of requires; had we used the plain module header the require section would be many times longer.

# file asterisk-local.te
policy_module(asterisk-local, 1.10);


require {
        type asterisk_t;
        type asterisk_var_lib_t;
        type usr_t;
        type http_port_t;
}


# adds lpr_t to the system role, prevents this SELINUX_ERR:
# invalid context unconfined_u:system_r:lpr_t:s0
# for scontext=unconfined_u:system_r:asterisk_t:s0 tcontext=system_u:object_r:lpr_exec_t:s0 tclass=process
role system_r types lpr_t;


# allow execution of agi scripts
allow asterisk_t asterisk_var_lib_t:file execute;
allow asterisk_t asterisk_var_lib_t:file execute_no_trans;
allow asterisk_t usr_t:file execute;
allow asterisk_t usr_t:file execute_no_trans;


# allow phone directory lookup via http
allow asterisk_t http_port_t:tcp_socket name_connect;


# allow printing
lpd_domtrans_lpr(asterisk_t)


This policy is a bit lax about executing stuff, but it's still way better than letting asterisk run in totally permissive mode. It's a work in progress. Over time as I learn selinux I'll set it up better.

To build and install it, this script will do:

#! /bin/bash
module=asterisk-local
[ "$1" ] && module="$1"
make -f /usr/share/selinux/devel/Makefile && \
        semodule -i $module.pp

No comments:

Post a Comment