Bug 1092150
| Summary: | Asterisk AGI script blocked by SELinux | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Patrick Laimbock <patrick> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.5 | CC: | dwalsh, lvrabec, mmalik, patrick |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.7.19-251.el6 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-10-14 08:02:04 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Does asterisk need to be able to write these files as well as execute them? AFAIK no (I can't think of a use case). Both Asterisk and an agi-bin script should be able to write to /var/spool/asterisk/{monitor,outgoing,tmp,uploads,voicemail}/
Similar to a cgi-bin script, an agi-bin script should also be able to for example write to /tmp, read sound files from /var/lib/asterisk/sounds/, access MySQL, libs, etc..
Is /var/lib/asterisk/agi-bin the default location for these executables? Could you try to execute # chcon -R -t bin_t /var/lib/asterisk/agi-bin Steps: chcon -R -t bin_t /var/lib/asterisk/agi-bin ls -Z /var/lib/asterisk | grep agi-bin drwxr-x---. asterisk asterisk system_u:object_r:bin_t:s0 agi-bin Result: problem went away Made a call to an extension which executes test.agi and the test.agi script is properly executed, no AVC to be seen. Patrick is this a standard directory or something you created? It was created by 'make install' during rpmbuild. The answer to wether this is a standard directory depends on who you ask. The Asterisk EPEL RPMs use '/usr/share/asterisk/agi-bin' while Digium's Asterisk RPMs use '/var/lib/asterisk/agi-bin' by default. So who's right? I went through the FHS 2.3 and it says in 4.11 that /usr/share is for Architecture-independant data while in 5.8.4 it says that /var/lib/ is for Variable state information. It seems neither location is the proper place for an agi-bin directory with (arch dependant) scripts? http://www.pathname.com/fhs/pub/fhs-2.3.pdf And agi-bin is not the only directory in a different location in the EPEL and Digium Asterisk RPMs. EPEL Asterisk 11 RPMs: /var/lib/asterisk/ <-- empty /usr/share/asterisk/agi-bin /usr/share/asterisk/documentation /usr/share/asterisk/firmware /usr/share/asterisk/images /usr/share/asterisk/keys /usr/share/asterisk/moh /usr/share/asterisk/phoneprov /usr/share/asterisk/sounds /usr/share/asterisk/static-http Digium's Asterisk 11 RPMs: /var/lib/asterisk/agi-bin /var/lib/asterisk/documentation /var/lib/asterisk/images /var/lib/asterisk/keys /var/lib/asterisk/licenses /var/lib/asterisk/phoneprov /var/lib/asterisk/static-http Any ideas what the proper location for the agi-bin etc. directories should be? Unless that's clear, discussing the AVC is moot. Apologies for the can of worms :P Ok so rpm -qf /usr/share/asterisk/agi-bin rpm -qf /var/lib/asterisk/agi-bin cmds give us asterisk pkg. After discussing the proper location, the /usr/share/asterisk/agi-bin location is the best (less worst) one. That location is already used in the Asterisk EPEL package so should probably be the target of any SELinux fixes/enhancements. About my comment 5: I just ran a more complex agi script that contacts a Google service and that resulted in another AVC. So the chcon -R -t bin_t /usr/share/asterisk/agi-bin trick is not always sufficient. With a quick setenforce 0 the script worked fine. The AVC was: type=AVC msg=audit(1400194792.258:294): avc: denied { name_connect } for pid=2913 comm="perl" dest=80 scontext=unconfined_u:system_r:asterisk_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket Which results in: $ sudo grep 1400194792.258:294 /var/log/audit/audit.log | audit2allow -M asterisk-agi && cat asterisk-agi.te ******************** IMPORTANT *********************** To make this policy package active, execute: semodule -i asterisk-agi.pp module asterisk-agi 1.0; require { type http_port_t; type asterisk_t; class tcp_socket name_connect; } #============= asterisk_t ============== #!!!! This avc can be allowed using the boolean 'allow_ypbind' allow asterisk_t http_port_t:tcp_socket name_connect; 42918d15f7e12bee011180d67aff30136bd08cec fixes this in git. I'll send patch to Miroslav. Asterisk is not able to execute any file that is located in following directories, because of default labeling: # matchpathcon /usr/share/asterisk/agi-bin /usr/share/asterisk/agi-bin system_u:object_r:usr_t:s0 # matchpathcon /var/lib/asterisk/agi-bin /var/lib/asterisk/agi-bin system_u:object_r:asterisk_var_lib_t:s0 # Could we change the default labels to bin_t or lib_t? Could we create a special type for asterisk scripts? Milos: not sure what you are asking (me?). Is the patch that Dan mentioned in comment #10 not the fix? My SELinux foo is insufficient to comment on your question about the proper label. The patch, that Dan mentioned in comment#10, fixes the AVC from comment#9, but does not fix the AVC from comment#0. # matchpathcon /var/lib/asterisk/agi-bin /var/lib/asterisk/agi-bin system_u:object_r:asterisk_var_lib_t:s0 # sesearch -s asterisk_t -t asterisk_var_lib_t -c file -p execute --allow # matchpathcon /usr/share/asterisk/agi-bin /usr/share/asterisk/agi-bin system_u:object_r:usr_t:s0 # sesearch -s asterisk_t -t usr_t -c file -p execute --allow # patch sent. I tested selinux-policy-3.7.19-251.el6 which dwalsh kindly made available.
Steps:
$ sudo yum install selinux*3.7.19-251*
$ sudo restorecon -v -F -R /usr/share/asterisk
$ ls -Z /usr/share/asterisk/agi-bin/googletts/
-rwxr-xr-x. asterisk asterisk system_u:object_r:bin_t:s0 googletts.agi
Made a call to an extensions that launches the googletts script to convert some text to speech and play that back:
- Launched AGI Script /usr/share/asterisk/agi-bin/googletts/googletts.agi
-- Playing '/tmp/ggl_MK9_qC' (escape_digits=) (sample_offset 0)
-- <SIP/1000-0000001e>AGI Script googletts/googletts.agi completed, returning 0
Result: success & no more AVC
BZ can be closed. Thank you!
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2014-1568.html |
Description of problem: Asterisk AGI scripts (similar to cgi-bin scripts) are blocked by SELinux Version-Release number of selected component (if applicable): EL6.5, Asterisk 11.9.0, selinux-policy-3.7.19-231.el6_5.1.noarch, selinux-policy-targeted-3.7.19-231.el6_5.1.noarch How reproducible: Add test.agi script to /var/lib/asterisk/agi-bin/ and chmod 755 plus chown asterisk:asterisk. Add an extension in /etc/asterisk/extensions.conf that executes that script. Dial the extension and wait for 'test.agi ... Permission denied' and the AVC to show up. Steps to Reproduce: 1. add AGI script to /var/lib/asterisk/agi-bin 2. add extension that executes that AGI script 3. dial extension and wait for it to fail + AVC Actual results: Failure to execute the AGI script plus an AVC Expected results: AGI script is executed, no AVC is generated. Additional info: AGI scripts are like cgi-bin scripts. Anything goes: C, python, perl, bash scripts etc. SELinux labels of directories involved: ls -Z /var/lib/asterisk/ | grep agi-bin drwxr-x---. asterisk asterisk system_u:object_r:asterisk_var_lib_t:s0 agi-bin ls -Z /var/lib/asterisk/agi-bin/ -rwxr-xr-x. asterisk asterisk system_u:object_r:asterisk_var_lib_t:s0 test.agi Copy of the AVC: type=AVC msg=audit(1398714585.445:113): avc: denied { execute } for pid=1361 comm="asterisk" name="test.agi" dev=vda3 ino=268371 scontext=system_u:system_r:asterisk_t:s0 tcontext=unconfined_u:object_r:asterisk_var_lib_t:s0 tclass=file type=SYSCALL msg=audit(1398714585.445:113): arch=c000003e syscall=59 success=no exit=-13 a0=7fe8db0f0480 a1=7fe8db0ef348 a2=17f49d0 a3=7fe8db0ef050 items=0 ppid=1041 pid=1361 auid=4294967295 uid=498 gid=499 euid=498 suid=498 fsuid=498 egid=499 sgid=499 fsgid=499 tty=(none) ses=4294967295 comm="asterisk" exe="/usr/sbin/asterisk" subj=system_u:system_r:asterisk_t:s0 key=(null) And the suggested solution: grep 1398714585.445:113 /var/log/audit/audit.log | audit2allow -M asterisk-agi && cat asterisk-agi.te ******************** IMPORTANT *********************** To make this policy package active, execute: semodule -i asterisk-agi.pp module asterisk-agi 1.0; require { type asterisk_var_lib_t; type asterisk_t; class file execute; } #============= asterisk_t ============== allow asterisk_t asterisk_var_lib_t:file execute; If you need more information please let me know. Thanks!