Running Asterisk with chan_mobile as non-root

I am trying to install asterisk including the chan_mobile module. While testing the configuration I’ve been running asterisk as root from the command line. All is working well but I now want to run asterisk from systemd with a non-root user account but chan_mobile refuses to load. I’ve tried various steps and have made some progress but still without success. Details follow. Can anyone help?

I’m running Fedora Server 35 on a 64bit intel architecture. I’ve installed asterisk from the Fedora repository. I’ve configured asterisk by editing files in /etc/asterisk and paired a mobile phone using bluetoothctl. When I run asterisk from the command line as root I can make calls that bridge SIP with mobile phone calls.

Failure one - simply running asterisk as user.group ‘asterisk.asterisk’ by starting the service using systemctl. The chan_mobile module fails attempting to connect to /var/run/sdp. So, at this point it seems that chan_mobile is using a long deprecated API for communicating with bluetooth and I guess this is the root of all problems…

Fix one - chmod the /var/run/sdp socket to allow non-root processes to read/write.

Failure two - now chan_mod can connect to sdp but I get a load of selinux error reports as chan_mobile attempts to connect to the bluetooth adapter.

Fix two - temporarily put selinux into permissive mode.

Failure three - now chan_mobile manages to connect to sdp and then to the bluetooth adapter but fails to find out the correct voice setting and refuses to load. Here is the output from the log:
[2022-05-09 13:19:47] ERROR[3868] chan_mobile.c: Skipping adapter blue. Voice setting must be 0x0060 - see ‘man hciconfig’ for details. (BTW hciconfig is a deprecated tool.)

Any ideas how to get past this third error?

I think the only fully functional way of running Asterisk as non-root is to start it as root and use its configuration to set the final user and group. I don’t guarantee that will work with chan_mobile, and suspect you will have difficult finding anyone here who is familiar with it.

Thanks! I’ve configured asterisk to switch into ‘asterisk.asterisk’ user.group after starting and started it as root from the command line. It works! ps -fe show that it has switched user succesfully and chan_mobile reports successful connection to the phone. I assume it stays as root long enough to set up all the bluetooth stuff.

So, next I’ll reconfigure the systemd service file to start as root.root. I’ll let you know how that goes…

Hmmm…

I edited file://pbx/usr/lib/systemd/system/asterisk.service getting it to start as root.root
That doesn’t fully work - chan_mobile CAN access the sdp port without having to chmod it and it CAN connect to the bluetooth hardware without disabling SELinux. But, it fails the same way as ‘failure 3’ in my original post - “chan_mobile.c: Skipping adapter blue. Voice setting must be 0x0060”

So, I commented out the statements in asterisk.conf that switch user and restarted the asterisk service. It fails in the same way. It seems that the failure is NOT about running/not running as root. There is some other issue causing the problem.

Just in case someone has the insight I lack I’ll paste below the service config file. Is there an issue with the command line or environment? This is the stock file from the asterisk package in the Fedora repository but with the user and group changed to root.

[Unit]
Description=Asterisk PBX and telephony daemon.
After=nss-lookup.target

[Service]
Type=simple
Environment=HOME=/var/lib/asterisk
WorkingDirectory=/var/lib/asterisk
User=root
Group=root
ExecStart=/usr/sbin/asterisk -f -C /etc/asterisk/asterisk.conf
ExecStop=/usr/sbin/asterisk -rx 'core stop now'
ExecReload=/usr/sbin/asterisk -rx 'core reload'

# To emulate some of the features of the safe_asterisk script, copy
# this file to /etc/systemd/system/asterisk.service and uncomment one
# or more of the following lines.  For more information on what these
# parameters mean see:
#
# http://0pointer.de/public/systemd-man/systemd.service.html
# http://0pointer.de/public/systemd-man/systemd.exec.html

#Nice=0
#UMask=0002
#LimitCORE=infinity
#LimitNOFILE=
#Restart=always
#RestartSec=4

# If you uncomment the following you should add '-c' to the ExecStart line above

#TTYPath=/dev/tty7
#StandardInput=tty
#StandardOutput=tty
#StandardError=tty

PrivateTmp=true

[Install]
WantedBy=multi-user.target

Answering my own question…

Although I edited the service file to start as root, the selinux context is different when running at the command line vs. by systemd.

Command line:
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 2172 1236 2 15:14 pts/0 00:00:02 asterisk -c
Systemd:
system_u:system_r:asterisk_t:s0 root 2335 1 2 15:18 ? 00:00:04 /usr/sbin/asterisk -f -C /etc/asterisk/asterisk.conf

So, once again I temporarily disabled selinux and the systemd service works. The solution then will involve fiddling with selinux which I don’t look forward to.