Skip to main content

Asterisk 1.8 with SELinux on RHEL 6 / CentOS 6

Asterisk 1.8 is the current long term support (LTS) version of Asterisk. You can find it in the atrpms repository. Using atrpms requires a bit of ingenuity, since you must enable yum priorities. Here's how I've set up my yum priorities and excludes to play well with RHEL (lower priority is higher):

# /etc/yum/pluginconf.d/rhnplugin.conf
priority = 9

# files in /etc/yum/repos.d - current samba and subversion override those of RHEL
sernet-samba - 5
wandisco - 6
rhnplugin - 9
centos-base - 20, includepkgs=xfs* fftw-* glpk-*
dell-firmware-repository - 30
dell-omsa-repository - 30
rpmforge-repo - 50, exclude=hdf5*
epel - 60, exclude=dahdi*
atrpms - 70

I'm using a bunch of non-redhat packages, including Asterisk, recent subversion, octave, xfs tools, and Dell server management tools.

For Asterisk proper, I'm running an AGI caller id script, and a fax receiving script. The fax script uses cups to print. Those scripts require exceptions to the targeted SELinux policy. Note that the policy_module macro pulls in a big bunch of requires; had we used the plain module header the require section would be many times longer.

# file asterisk-local.te
policy_module(asterisk-local, 1.10);


require {
        type asterisk_t;
        type asterisk_var_lib_t;
        type usr_t;
        type http_port_t;
}


# adds lpr_t to the system role, prevents this SELINUX_ERR:
# invalid context unconfined_u:system_r:lpr_t:s0
# for scontext=unconfined_u:system_r:asterisk_t:s0 tcontext=system_u:object_r:lpr_exec_t:s0 tclass=process
role system_r types lpr_t;


# allow execution of agi scripts
allow asterisk_t asterisk_var_lib_t:file execute;
allow asterisk_t asterisk_var_lib_t:file execute_no_trans;
allow asterisk_t usr_t:file execute;
allow asterisk_t usr_t:file execute_no_trans;


# allow phone directory lookup via http
allow asterisk_t http_port_t:tcp_socket name_connect;


# allow printing
lpd_domtrans_lpr(asterisk_t)


This policy is a bit lax about executing stuff, but it's still way better than letting asterisk run in totally permissive mode. It's a work in progress. Over time as I learn selinux I'll set it up better.

To build and install it, this script will do:

#! /bin/bash
module=asterisk-local
[ "$1" ] && module="$1"
make -f /usr/share/selinux/devel/Makefile && \
        semodule -i $module.pp

Comments

Popular posts from this blog

Both INCLUDEPATH and DEPENDPATH are usually needed in qmake .pro project files.

qmake, the build tool provided with the Qt toolkit, converts project files written in its own mini-language to platform-specific Makefiles.

This process includes adding necessary dependencies to the Makefile, so that changes in source files trigger rebuilding of the outputs that depend on said sources.

If your project is spread across directories, you'll likely add an INCLUDEPATH line to your .pro file so that the #include directives look sane -- say #include "library/foo.h" instead of #include "../library/foo.h". This can be done by adding INCLUDEPATH += "../" to the .pro project file.

This, by itself, doesn't cause the files in include directories to be treated as dependencies. This is a sane default, since you likely don't want to rebuild your whole project if a system library changes -- assuming, of course, that the library is meant to stay binary compatible between releases!

Thus, if any of your source files references a file from somewhe…

Details of Migrating Zimbra 6 to Zimbra 8

I have a small Zimbra system that needed to be migrated from 6.0 to 8.0. Generally:
You must update to 6.0.16 on the source system. The account export functionality is broken in versions prior to 6.0.15 and will fail on some accounts.Start with a fresh 8.0 install. On a small system (dozens of users), that seems like the simplest option.Keep the 6.0 system running. Use the migration wizard in 8.0's admin console (Tools & Migration -> Account Migration) to move over account records only.
Set "type of mail server" to Zimbra Collaboration Suite. Set "would you like to import mail" to No.Import from another Zimbra LDAP directory.Set the LDAP Search Base to "dc=foo,dc=com" where foo.com would be your domain. This saves work on manually moving accounts between systems.
To move account contents and filter settings between servers, you can do the following on the source server:
su - zimbra
ACCT=user@foo.com      # account to move
DEST=root@destination  # ss…