Centos 6, Asterisk 1.8 and SELinux


#1

I’m trying to set up without resorting to disabling SELinux. It refused to write voicemail files for a while but a relabel fixed it, although I don’t quite understand why. Now it refuses to run agi scripts. I tried the audit2allow method against the log file without any luck. The agi directory and script have the following protections:

[code]drwxr-xr-x. root root system_u:object_r:asterisk_var_lib_t:s0 agi-bin
-rwxr-xr-x. root root unconfined_u:object_r:asterisk_var_lib_t:s0 astermail.agi

and here is the audit log message

So it seems that the asterisk process is using asterisk_t while the file and directory are asterisk_var_lib_t. I could go and study SELinux for another week and perhaps come up with a solution, but the worry is that I’ll go down some very non-optimal path. Surely whoever set up the SELinux rules for Asterisk and Centos 6 thought about agi.

I went down this path because the System() application doesn’t like really long command lines.

Any help is, of course, greatly appreciated.

An update of sorts. Talking to a colleague it might be a disconnect between asterisk from source and the Centos asterisk policy module.


#2

So asterisk_t needed permission to access files with type asterisk_var_lib_t. This should have been in the default policy but it doesn’t seem to be the case.

So I used audit2allow more carefully to create a local policy addition that fixed it. To do this, I used the following:

grep asterisk /var/log/audit/audit.log | audit2allow -M asterisklocal
checkmodule -M -m -o asterisk.mod asterisk.te
semodule_package -o asterisklocal.pp -m asterisklocal.mod
semodule -i asterisklocal.pp

I also gave asterisk read, open and getattr permissions to the files for good measure. That might not have been required.

There’s probably a more elegant solution (like hand-created the te file) but I’m in learning mode when it comes to SELinux.

It appears that most sysadmins just setenforce 0.


#3

Next issue: The AGI Python program invokes the os.system() call to send a mail message. With the standard settings SELinux denies access without logging anything. Using semanage dontaudit off allowed me to see a couple of dozen denials in the log. That’s too much, I think. Maybe I’ll just use setenforce 0 or do audit only. I’m sick and tired of fighting with SELinux and seem to have spent more time trying to make it work than I have with any other aspect of the system.

The problem is only when the mail message I’m trying to send has an attachment. I wrote the AGI because I thought that the system command from the dial plan wouldn’t take a really long line. It turns out that the long line was the attachment path and filename, and that was really the problem.