[people/stevee/selinux-policy.git] / policy / modules / services / asterisk.te


policy_module(asterisk, 1.5.0)

########################################
#
# Declarations
#

type asterisk_t;
type asterisk_exec_t;
init_daemon_domain(asterisk_t,asterisk_exec_t)

type asterisk_etc_t;
files_config_file(asterisk_etc_t)

type asterisk_log_t;
logging_log_file(asterisk_log_t)

type asterisk_spool_t;
files_type(asterisk_spool_t)

type asterisk_tmp_t;
files_tmp_file(asterisk_tmp_t)

type asterisk_tmpfs_t;
files_tmpfs_file(asterisk_tmpfs_t)

type asterisk_var_lib_t;
files_type(asterisk_var_lib_t)

type asterisk_var_run_t;
files_pid_file(asterisk_var_run_t)

########################################
#
# Local policy
#

# dac_override for /var/run/asterisk
allow asterisk_t self:capability { dac_override setgid setuid sys_nice };
dontaudit asterisk_t self:capability sys_tty_config;
allow asterisk_t self:process { setsched signal_perms };
allow asterisk_t self:fifo_file rw_fifo_file_perms;
allow asterisk_t self:sem create_sem_perms;
allow asterisk_t self:shm create_shm_perms;
allow asterisk_t self:tcp_socket create_stream_socket_perms;
allow asterisk_t self:udp_socket create_socket_perms;

allow asterisk_t asterisk_etc_t:dir list_dir_perms;
read_files_pattern(asterisk_t,asterisk_etc_t,asterisk_etc_t)
read_lnk_files_pattern(asterisk_t,asterisk_etc_t,asterisk_etc_t)
files_search_etc(asterisk_t)

manage_files_pattern(asterisk_t,asterisk_log_t,asterisk_log_t)
logging_log_filetrans(asterisk_t,asterisk_log_t,{ file dir })

manage_dirs_pattern(asterisk_t,asterisk_spool_t,asterisk_spool_t)
manage_files_pattern(asterisk_t,asterisk_spool_t,asterisk_spool_t)
manage_lnk_files_pattern(asterisk_t,asterisk_spool_t,asterisk_spool_t)

manage_dirs_pattern(asterisk_t,asterisk_tmp_t,asterisk_tmp_t)
manage_files_pattern(asterisk_t,asterisk_tmp_t,asterisk_tmp_t)
files_tmp_filetrans(asterisk_t, asterisk_tmp_t, { file dir })

manage_files_pattern(asterisk_t,asterisk_tmpfs_t,asterisk_tmpfs_t)
manage_lnk_files_pattern(asterisk_t,asterisk_tmpfs_t,asterisk_tmpfs_t)
manage_fifo_files_pattern(asterisk_t,asterisk_tmpfs_t,asterisk_tmpfs_t)
manage_sock_files_pattern(asterisk_t,asterisk_tmpfs_t,asterisk_tmpfs_t)
fs_tmpfs_filetrans(asterisk_t,asterisk_tmpfs_t,{ dir file lnk_file sock_file fifo_file })

manage_files_pattern(asterisk_t,asterisk_var_lib_t,asterisk_var_lib_t)
files_var_lib_filetrans(asterisk_t,asterisk_var_lib_t,file)

manage_files_pattern(asterisk_t,asterisk_var_run_t,asterisk_var_run_t)
manage_fifo_files_pattern(asterisk_t,asterisk_var_run_t,asterisk_var_run_t)
manage_sock_files_pattern(asterisk_t,asterisk_var_run_t,asterisk_var_run_t)
files_pid_filetrans(asterisk_t,asterisk_var_run_t,file)

kernel_read_system_state(asterisk_t)
kernel_read_kernel_sysctls(asterisk_t)

corecmd_exec_bin(asterisk_t)
corecmd_search_bin(asterisk_t)

corenet_all_recvfrom_unlabeled(asterisk_t)
corenet_all_recvfrom_netlabel(asterisk_t)
corenet_tcp_sendrecv_generic_if(asterisk_t)
corenet_udp_sendrecv_generic_if(asterisk_t)
corenet_tcp_sendrecv_all_nodes(asterisk_t)
corenet_udp_sendrecv_all_nodes(asterisk_t)
corenet_tcp_sendrecv_all_ports(asterisk_t)
corenet_udp_sendrecv_all_ports(asterisk_t)
corenet_tcp_bind_all_nodes(asterisk_t)
corenet_udp_bind_all_nodes(asterisk_t)
corenet_tcp_bind_asterisk_port(asterisk_t)
corenet_udp_bind_asterisk_port(asterisk_t)
corenet_sendrecv_asterisk_server_packets(asterisk_t)
# for VOIP voice channels.
corenet_tcp_bind_generic_port(asterisk_t)
corenet_udp_bind_generic_port(asterisk_t)
corenet_dontaudit_udp_bind_all_ports(asterisk_t)
corenet_sendrecv_generic_server_packets(asterisk_t)

dev_read_sysfs(asterisk_t)
dev_read_sound(asterisk_t)
dev_write_sound(asterisk_t)

domain_use_interactive_fds(asterisk_t)

files_read_etc_files(asterisk_t)
files_search_spool(asterisk_t)
# demo files installed in /usr/share/asterisk/sounds/demo-instruct.gsm
# are labeled usr_t
files_read_usr_files(asterisk_t)

fs_getattr_all_fs(asterisk_t)
fs_search_auto_mountpoints(asterisk_t)

libs_use_ld_so(asterisk_t)
libs_use_shared_libs(asterisk_t)

logging_send_syslog_msg(asterisk_t)

miscfiles_read_localization(asterisk_t)

sysnet_read_config(asterisk_t)

userdom_dontaudit_use_unpriv_user_fds(asterisk_t)

sysadm_dontaudit_search_home_dirs(asterisk_t)

optional_policy(`
	nis_use_ypbind(asterisk_t)
')

optional_policy(`
	seutil_sigchld_newrole(asterisk_t)
')

optional_policy(`
	udev_read_db(asterisk_t)
')

ifdef(`TODO',`
allow initrc_t asterisk_var_run_t:fifo_file unlink;
allow sysadm_t asterisk_t:unix_stream_socket { connectto rw_stream_socket_perms };
')
Commit	Line	Data
e3e37e85	1
cfcf5004	2	policy_module(asterisk, 1.5.0)
e3e37e85 CP	3
	4	########################################
	5	#
	6	# Declarations
	7	#
	8
	9	type asterisk_t;
	10	type asterisk_exec_t;
	11	init_daemon_domain(asterisk_t,asterisk_exec_t)
	12
	13	type asterisk_etc_t;
	14	files_config_file(asterisk_etc_t)
	15
	16	type asterisk_log_t;
	17	logging_log_file(asterisk_log_t)
	18
	19	type asterisk_spool_t;
	20	files_type(asterisk_spool_t)
	21
	22	type asterisk_tmp_t;
	23	files_tmp_file(asterisk_tmp_t)
	24
	25	type asterisk_tmpfs_t;
	26	files_tmpfs_file(asterisk_tmpfs_t)
	27
	28	type asterisk_var_lib_t;
	29	files_type(asterisk_var_lib_t)
	30
	31	type asterisk_var_run_t;
	32	files_pid_file(asterisk_var_run_t)
	33
	34	########################################
	35	#
	36	# Local policy
	37	#
	38
	39	# dac_override for /var/run/asterisk
	40	allow asterisk_t self:capability { dac_override setgid setuid sys_nice };
	41	dontaudit asterisk_t self:capability sys_tty_config;
	42	allow asterisk_t self:process { setsched signal_perms };
c0868a7a	43	allow asterisk_t self:fifo_file rw_fifo_file_perms;
e3e37e85 CP	44	allow asterisk_t self:sem create_sem_perms;
	45	allow asterisk_t self:shm create_shm_perms;
	46	allow asterisk_t self:tcp_socket create_stream_socket_perms;
	47	allow asterisk_t self:udp_socket create_socket_perms;
	48
c0868a7a CP	49	allow asterisk_t asterisk_etc_t:dir list_dir_perms;
	50	read_files_pattern(asterisk_t,asterisk_etc_t,asterisk_etc_t)
	51	read_lnk_files_pattern(asterisk_t,asterisk_etc_t,asterisk_etc_t)
e3e37e85 CP	52	files_search_etc(asterisk_t)
e3e37e85 CP	53
c0868a7a	54	manage_files_pattern(asterisk_t,asterisk_log_t,asterisk_log_t)
e3e37e85 CP	55	logging_log_filetrans(asterisk_t,asterisk_log_t,{ file dir })
e3e37e85 CP	56
c0868a7a CP	57	manage_dirs_pattern(asterisk_t,asterisk_spool_t,asterisk_spool_t)
	58	manage_files_pattern(asterisk_t,asterisk_spool_t,asterisk_spool_t)
	59	manage_lnk_files_pattern(asterisk_t,asterisk_spool_t,asterisk_spool_t)
e3e37e85	60
c0868a7a CP	61	manage_dirs_pattern(asterisk_t,asterisk_tmp_t,asterisk_tmp_t)
c0868a7a CP	62	manage_files_pattern(asterisk_t,asterisk_tmp_t,asterisk_tmp_t)
e3e37e85 CP	63	files_tmp_filetrans(asterisk_t, asterisk_tmp_t, { file dir })
e3e37e85 CP	64
c0868a7a CP	65	manage_files_pattern(asterisk_t,asterisk_tmpfs_t,asterisk_tmpfs_t)
	66	manage_lnk_files_pattern(asterisk_t,asterisk_tmpfs_t,asterisk_tmpfs_t)
	67	manage_fifo_files_pattern(asterisk_t,asterisk_tmpfs_t,asterisk_tmpfs_t)
	68	manage_sock_files_pattern(asterisk_t,asterisk_tmpfs_t,asterisk_tmpfs_t)
e3e37e85 CP	69	fs_tmpfs_filetrans(asterisk_t,asterisk_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
e3e37e85 CP	70
c0868a7a	71	manage_files_pattern(asterisk_t,asterisk_var_lib_t,asterisk_var_lib_t)
e3e37e85 CP	72	files_var_lib_filetrans(asterisk_t,asterisk_var_lib_t,file)
e3e37e85 CP	73
c0868a7a CP	74	manage_files_pattern(asterisk_t,asterisk_var_run_t,asterisk_var_run_t)
	75	manage_fifo_files_pattern(asterisk_t,asterisk_var_run_t,asterisk_var_run_t)
	76	manage_sock_files_pattern(asterisk_t,asterisk_var_run_t,asterisk_var_run_t)
e3e37e85 CP	77	files_pid_filetrans(asterisk_t,asterisk_var_run_t,file)
	78
	79	kernel_read_system_state(asterisk_t)
	80	kernel_read_kernel_sysctls(asterisk_t)
	81
	82	corecmd_exec_bin(asterisk_t)
8021cb4f	83	corecmd_search_bin(asterisk_t)
e3e37e85	84
19006686 CP	85	corenet_all_recvfrom_unlabeled(asterisk_t)
19006686 CP	86	corenet_all_recvfrom_netlabel(asterisk_t)
e3e37e85 CP	87	corenet_tcp_sendrecv_generic_if(asterisk_t)
e3e37e85 CP	88	corenet_udp_sendrecv_generic_if(asterisk_t)
e3e37e85 CP	89	corenet_tcp_sendrecv_all_nodes(asterisk_t)
e3e37e85 CP	90	corenet_udp_sendrecv_all_nodes(asterisk_t)
e3e37e85 CP	91	corenet_tcp_sendrecv_all_ports(asterisk_t)
	92	corenet_udp_sendrecv_all_ports(asterisk_t)
	93	corenet_tcp_bind_all_nodes(asterisk_t)
	94	corenet_udp_bind_all_nodes(asterisk_t)
	95	corenet_tcp_bind_asterisk_port(asterisk_t)
	96	corenet_udp_bind_asterisk_port(asterisk_t)
141cffdd	97	corenet_sendrecv_asterisk_server_packets(asterisk_t)
e3e37e85 CP	98	# for VOIP voice channels.
	99	corenet_tcp_bind_generic_port(asterisk_t)
	100	corenet_udp_bind_generic_port(asterisk_t)
6c911897	101	corenet_dontaudit_udp_bind_all_ports(asterisk_t)
141cffdd	102	corenet_sendrecv_generic_server_packets(asterisk_t)
e3e37e85 CP	103
	104	dev_read_sysfs(asterisk_t)
	105	dev_read_sound(asterisk_t)
	106	dev_write_sound(asterisk_t)
	107
	108	domain_use_interactive_fds(asterisk_t)
	109
	110	files_read_etc_files(asterisk_t)
	111	files_search_spool(asterisk_t)
	112	# demo files installed in /usr/share/asterisk/sounds/demo-instruct.gsm
	113	# are labeled usr_t
	114	files_read_usr_files(asterisk_t)
	115
	116	fs_getattr_all_fs(asterisk_t)
	117	fs_search_auto_mountpoints(asterisk_t)
	118
e3e37e85 CP	119	libs_use_ld_so(asterisk_t)
	120	libs_use_shared_libs(asterisk_t)
	121
	122	logging_send_syslog_msg(asterisk_t)
	123
	124	miscfiles_read_localization(asterisk_t)
	125
	126	sysnet_read_config(asterisk_t)
	127
	128	userdom_dontaudit_use_unpriv_user_fds(asterisk_t)
e9c6cda7 CP	129
e9c6cda7 CP	130	sysadm_dontaudit_search_home_dirs(asterisk_t)
e3e37e85	131
e3e37e85 CP	132	optional_policy(`
	133	nis_use_ypbind(asterisk_t)
	134	')
	135
	136	optional_policy(`
	137	seutil_sigchld_newrole(asterisk_t)
	138	')
	139
	140	optional_policy(`
	141	udev_read_db(asterisk_t)
	142	')
	143
	144	ifdef(`TODO',`
	145	allow initrc_t asterisk_var_run_t:fifo_file unlink;
	146	allow sysadm_t asterisk_t:unix_stream_socket { connectto rw_stream_socket_perms };
	147	')