1asterisk_selinux(8)         SELinux Policy asterisk        asterisk_selinux(8)
2
3
4

NAME

6       asterisk_selinux - Security Enhanced Linux Policy for the asterisk pro‐
7       cesses
8

DESCRIPTION

10       Security-Enhanced Linux secures the  asterisk  processes  via  flexible
11       mandatory access control.
12
13       The  asterisk  processes  execute with the asterisk_t SELinux type. You
14       can check if you have these processes running by executing the ps  com‐
15       mand with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep asterisk_t
20
21
22

ENTRYPOINTS

24       The asterisk_t SELinux type can be entered via the asterisk_exec_t file
25       type.
26
27       The default entrypoint paths for the asterisk_t domain are the  follow‐
28       ing:
29
30       /usr/sbin/asterisk
31

PROCESS TYPES

33       SELinux defines process types (domains) for each process running on the
34       system
35
36       You can see the context of a process using the -Z option to ps
37
38       Policy governs the access confined processes have  to  files.   SELinux
39       asterisk policy is very flexible allowing users to setup their asterisk
40       processes in as secure a method as possible.
41
42       The following process types are defined for asterisk:
43
44       asterisk_t
45
46       Note: semanage permissive -a asterisk_t can be used to make the process
47       type  asterisk_t permissive. SELinux does not deny access to permissive
48       process types, but the AVC (SELinux denials) messages are still  gener‐
49       ated.
50
51

BOOLEANS

53       SELinux  policy is customizable based on least access required.  aster‐
54       isk policy is extremely flexible and has several  booleans  that  allow
55       you  to manipulate the policy and run asterisk with the tightest access
56       possible.
57
58
59
60       If you want to allow users to resolve user passwd entries directly from
61       ldap  rather  then  using  a  sssd server, you must turn on the authlo‐
62       gin_nsswitch_use_ldap boolean. Disabled by default.
63
64       setsebool -P authlogin_nsswitch_use_ldap 1
65
66
67
68       If you want to allow all daemons to write corefiles to /, you must turn
69       on the daemons_dump_core boolean. Disabled by default.
70
71       setsebool -P daemons_dump_core 1
72
73
74
75       If  you  want  to enable cluster mode for daemons, you must turn on the
76       daemons_enable_cluster_mode boolean. Enabled by default.
77
78       setsebool -P daemons_enable_cluster_mode 1
79
80
81
82       If you want to allow all daemons to use tcp wrappers, you must turn  on
83       the daemons_use_tcp_wrapper boolean. Disabled by default.
84
85       setsebool -P daemons_use_tcp_wrapper 1
86
87
88
89       If  you  want to allow all daemons the ability to read/write terminals,
90       you must turn on the daemons_use_tty boolean. Disabled by default.
91
92       setsebool -P daemons_use_tty 1
93
94
95
96       If you want to deny any process from ptracing or  debugging  any  other
97       processes,  you  must  turn  on  the  deny_ptrace  boolean.  Enabled by
98       default.
99
100       setsebool -P deny_ptrace 1
101
102
103
104       If you want to allow any process  to  mmap  any  file  on  system  with
105       attribute  file_type,  you must turn on the domain_can_mmap_files bool‐
106       ean. Enabled by default.
107
108       setsebool -P domain_can_mmap_files 1
109
110
111
112       If you want to allow all domains write to kmsg_device, while kernel  is
113       executed  with  systemd.log_target=kmsg parameter, you must turn on the
114       domain_can_write_kmsg boolean. Disabled by default.
115
116       setsebool -P domain_can_write_kmsg 1
117
118
119
120       If you want to allow all domains to use other domains file descriptors,
121       you must turn on the domain_fd_use boolean. Enabled by default.
122
123       setsebool -P domain_fd_use 1
124
125
126
127       If  you  want to allow all domains to have the kernel load modules, you
128       must  turn  on  the  domain_kernel_load_modules  boolean.  Disabled  by
129       default.
130
131       setsebool -P domain_kernel_load_modules 1
132
133
134
135       If you want to allow all domains to execute in fips_mode, you must turn
136       on the fips_mode boolean. Enabled by default.
137
138       setsebool -P fips_mode 1
139
140
141
142       If you want to enable reading of urandom for all domains, you must turn
143       on the global_ssp boolean. Disabled by default.
144
145       setsebool -P global_ssp 1
146
147
148
149       If  you  want  to allow confined applications to run with kerberos, you
150       must turn on the kerberos_enabled boolean. Enabled by default.
151
152       setsebool -P kerberos_enabled 1
153
154
155
156       If you want to allow system to run with  NIS,  you  must  turn  on  the
157       nis_enabled boolean. Disabled by default.
158
159       setsebool -P nis_enabled 1
160
161
162
163       If  you  want to allow confined applications to use nscd shared memory,
164       you must turn on the nscd_use_shm boolean. Disabled by default.
165
166       setsebool -P nscd_use_shm 1
167
168
169

PORT TYPES

171       SELinux defines port types to represent TCP and UDP ports.
172
173       You can see the types associated with a port  by  using  the  following
174       command:
175
176       semanage port -l
177
178
179       Policy  governs  the  access  confined  processes  have to these ports.
180       SELinux asterisk policy is very flexible allowing users to setup  their
181       asterisk processes in as secure a method as possible.
182
183       The following port types are defined for asterisk:
184
185
186       asterisk_port_t
187
188
189
190       Default Defined Ports:
191                 tcp 1720
192                 udp 2427,2727,4569
193

MANAGED FILES

195       The  SELinux  process type asterisk_t can manage files labeled with the
196       following file types.  The paths listed are the default paths for these
197       file types.  Note the processes UID still need to have DAC permissions.
198
199       asterisk_log_t
200
201            /var/log/asterisk(/.*)?
202
203       asterisk_spool_t
204
205            /var/spool/asterisk(/.*)?
206
207       asterisk_tmp_t
208
209
210       asterisk_tmpfs_t
211
212
213       asterisk_var_lib_t
214
215            /var/lib/asterisk(/.*)?
216
217       asterisk_var_run_t
218
219            /var/run/asterisk.*
220
221       cluster_conf_t
222
223            /etc/cluster(/.*)?
224
225       cluster_var_lib_t
226
227            /var/lib/pcsd(/.*)?
228            /var/lib/cluster(/.*)?
229            /var/lib/openais(/.*)?
230            /var/lib/pengine(/.*)?
231            /var/lib/corosync(/.*)?
232            /usr/lib/heartbeat(/.*)?
233            /var/lib/heartbeat(/.*)?
234            /var/lib/pacemaker(/.*)?
235
236       cluster_var_run_t
237
238            /var/run/crm(/.*)?
239            /var/run/cman_.*
240            /var/run/rsctmp(/.*)?
241            /var/run/aisexec.*
242            /var/run/heartbeat(/.*)?
243            /var/run/corosync-qnetd(/.*)?
244            /var/run/corosync-qdevice(/.*)?
245            /var/run/cpglockd.pid
246            /var/run/corosync.pid
247            /var/run/rgmanager.pid
248            /var/run/cluster/rgmanager.sk
249
250       root_t
251
252            /sysroot/ostree/deploy/.*-atomic.*/deploy(/.*)?
253            /
254            /initrd
255
256

FILE CONTEXTS

258       SELinux requires files to have an extended attribute to define the file
259       type.
260
261       You can see the context of a file using the -Z option to ls
262
263       Policy governs the access  confined  processes  have  to  these  files.
264       SELinux  asterisk policy is very flexible allowing users to setup their
265       asterisk processes in as secure a method as possible.
266
267       STANDARD FILE CONTEXT
268
269       SELinux defines the file context types for the asterisk, if you  wanted
270       to store files with these types in a diffent paths, you need to execute
271       the semanage command  to  sepecify  alternate  labeling  and  then  use
272       restorecon to put the labels on disk.
273
274       semanage   fcontext   -a  -t  asterisk_var_run_t  '/srv/myasterisk_con‐
275       tent(/.*)?'
276       restorecon -R -v /srv/myasterisk_content
277
278       Note: SELinux often uses regular expressions  to  specify  labels  that
279       match multiple files.
280
281       The following file types are defined for asterisk:
282
283
284
285       asterisk_etc_t
286
287       - Set files with the asterisk_etc_t type, if you want to store asterisk
288       files in the /etc directories.
289
290
291
292       asterisk_exec_t
293
294       - Set files with the asterisk_exec_t type, if you want to transition an
295       executable to the asterisk_t domain.
296
297
298
299       asterisk_initrc_exec_t
300
301       -  Set files with the asterisk_initrc_exec_t type, if you want to tran‐
302       sition an executable to the asterisk_initrc_t domain.
303
304
305
306       asterisk_log_t
307
308       - Set files with the asterisk_log_t type, if you want to treat the data
309       as asterisk log data, usually stored under the /var/log directory.
310
311
312
313       asterisk_spool_t
314
315       -  Set  files  with the asterisk_spool_t type, if you want to store the
316       asterisk files under the /var/spool directory.
317
318
319
320       asterisk_tmp_t
321
322       - Set files with the asterisk_tmp_t type, if you want to store asterisk
323       temporary files in the /tmp directories.
324
325
326
327       asterisk_tmpfs_t
328
329       - Set files with the asterisk_tmpfs_t type, if you want to store aster‐
330       isk files on a tmpfs file system.
331
332
333
334       asterisk_var_lib_t
335
336       - Set files with the asterisk_var_lib_t type, if you want to store  the
337       asterisk files under the /var/lib directory.
338
339
340
341       asterisk_var_run_t
342
343       -  Set files with the asterisk_var_run_t type, if you want to store the
344       asterisk files under the /run or /var/run directory.
345
346
347
348       Note: File context can be temporarily modified with the chcon  command.
349       If  you want to permanently change the file context you need to use the
350       semanage fcontext command.  This will modify the SELinux labeling data‐
351       base.  You will need to use restorecon to apply the labels.
352
353

COMMANDS

355       semanage  fcontext  can also be used to manipulate default file context
356       mappings.
357
358       semanage permissive can also be used to manipulate  whether  or  not  a
359       process type is permissive.
360
361       semanage  module can also be used to enable/disable/install/remove pol‐
362       icy modules.
363
364       semanage port can also be used to manipulate the port definitions
365
366       semanage boolean can also be used to manipulate the booleans
367
368
369       system-config-selinux is a GUI tool available to customize SELinux pol‐
370       icy settings.
371
372

AUTHOR

374       This manual page was auto-generated using sepolicy manpage .
375
376

SEE ALSO

378       selinux(8),  asterisk(8),  semanage(8), restorecon(8), chcon(1), sepol‐
379       icy(8) , setsebool(8)
380
381
382
383asterisk                           19-04-25                asterisk_selinux(8)
Impressum