|
Chris PeBenito |
0fbfa5 |
#DESC Asterisk IP telephony server
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
# Author: Russell Coker <russell@coker.com.au>
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
# X-Debian-Packages: asterisk
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
type asterisk_port_t, port_type;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
daemon_domain(asterisk)
|
|
Chris PeBenito |
0fbfa5 |
allow asterisk_t asterisk_var_run_t:{ sock_file fifo_file } create_file_perms;
|
|
Chris PeBenito |
0fbfa5 |
allow initrc_t asterisk_var_run_t:fifo_file unlink;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow asterisk_t self:process setsched;
|
|
Chris PeBenito |
0fbfa5 |
allow asterisk_t self:fifo_file rw_file_perms;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow asterisk_t proc_t:file { getattr read };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow asterisk_t { bin_t sbin_t }:dir search;
|
|
Chris PeBenito |
0fbfa5 |
allow asterisk_t bin_t:lnk_file read;
|
|
Chris PeBenito |
0fbfa5 |
can_exec(asterisk_t, bin_t)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
etcdir_domain(asterisk)
|
|
Chris PeBenito |
0fbfa5 |
logdir_domain(asterisk)
|
|
Chris PeBenito |
0fbfa5 |
var_lib_domain(asterisk)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow asterisk_t asterisk_port_t:{ udp_socket tcp_socket } name_bind;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# for VOIP voice channels.
|
|
Chris PeBenito |
0fbfa5 |
allow asterisk_t port_t:{ udp_socket tcp_socket } name_bind;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow asterisk_t device_t:lnk_file read;
|
|
Chris PeBenito |
0fbfa5 |
allow asterisk_t sound_device_t:chr_file rw_file_perms;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
type asterisk_spool_t, file_type, sysadmfile;
|
|
Chris PeBenito |
0fbfa5 |
create_dir_file(asterisk_t, asterisk_spool_t)
|
|
Chris PeBenito |
0fbfa5 |
allow asterisk_t var_spool_t:dir search;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# demo files installed in /usr/share/asterisk/sounds/demo-instruct.gsm
|
|
Chris PeBenito |
0fbfa5 |
# are labeled usr_t
|
|
Chris PeBenito |
0fbfa5 |
allow asterisk_t usr_t:file r_file_perms;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
can_network_server(asterisk_t)
|
|
Chris PeBenito |
0fbfa5 |
can_ypbind(asterisk_t)
|
|
Chris PeBenito |
0fbfa5 |
allow asterisk_t etc_t:file { getattr read };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow asterisk_t self:unix_stream_socket { connectto create_stream_socket_perms };
|
|
Chris PeBenito |
0fbfa5 |
allow sysadm_t asterisk_t:unix_stream_socket { connectto rw_stream_socket_perms };
|
|
Chris PeBenito |
0fbfa5 |
allow asterisk_t self:sem create_sem_perms;
|
|
Chris PeBenito |
0fbfa5 |
allow asterisk_t self:shm create_shm_perms;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# dac_override for /var/run/asterisk
|
|
Chris PeBenito |
0fbfa5 |
allow asterisk_t self:capability { dac_override setgid setuid sys_nice };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# for shutdown
|
|
Chris PeBenito |
0fbfa5 |
dontaudit asterisk_t self:capability sys_tty_config;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
tmpfs_domain(asterisk)
|
|
Chris PeBenito |
0fbfa5 |
tmp_domain(asterisk)
|