1092150 – Asterisk AGI script blocked by SELinux

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1092150 - Asterisk AGI script blocked by SELinux

Summary: Asterisk AGI script blocked by SELinux

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	6.5
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Lukas Vrabec
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-04-28 20:14 UTC by Patrick Laimbock
Modified:	2014-10-14 08:02 UTC (History)
CC List:	4 users (show)
Fixed In Version:	selinux-policy-3.7.19-251.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-10-14 08:02:04 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2014:1568	0	normal	SHIPPED_LIVE	selinux-policy bug fix and enhancement update	2014-10-14 01:27:37 UTC

Description Patrick Laimbock 2014-04-28 20:14:29 UTC

Description of problem:
Asterisk AGI scripts (similar to cgi-bin scripts) are blocked by SELinux

Version-Release number of selected component (if applicable):
EL6.5, Asterisk 11.9.0, selinux-policy-3.7.19-231.el6_5.1.noarch, selinux-policy-targeted-3.7.19-231.el6_5.1.noarch

How reproducible:
Add test.agi script to /var/lib/asterisk/agi-bin/ and chmod 755 plus chown asterisk:asterisk. Add an extension in /etc/asterisk/extensions.conf that executes that script. Dial the extension and wait for 'test.agi ... Permission denied' and the AVC to show up.

Steps to Reproduce:
1. add AGI script to /var/lib/asterisk/agi-bin
2. add extension that executes that AGI script
3. dial extension and wait for it to fail + AVC

Actual results:
Failure to execute the AGI script plus an AVC

Expected results:
AGI script is executed, no AVC is generated.

Additional info:
AGI scripts are like cgi-bin scripts. Anything goes: C, python, perl, bash scripts etc. 

SELinux labels of directories involved:

ls -Z /var/lib/asterisk/ | grep agi-bin
drwxr-x---. asterisk asterisk system_u:object_r:asterisk_var_lib_t:s0 agi-bin

ls -Z /var/lib/asterisk/agi-bin/
-rwxr-xr-x. asterisk asterisk system_u:object_r:asterisk_var_lib_t:s0 test.agi


Copy of the AVC:

type=AVC msg=audit(1398714585.445:113): avc:  denied  { execute } for  pid=1361 comm="asterisk" name="test.agi" dev=vda3 ino=268371 scontext=system_u:system_r:asterisk_t:s0 tcontext=unconfined_u:object_r:asterisk_var_lib_t:s0 tclass=file
type=SYSCALL msg=audit(1398714585.445:113): arch=c000003e syscall=59 success=no exit=-13 a0=7fe8db0f0480 a1=7fe8db0ef348 a2=17f49d0 a3=7fe8db0ef050 items=0 ppid=1041 pid=1361 auid=4294967295 uid=498 gid=499 euid=498 suid=498 fsuid=498 egid=499 sgid=499 fsgid=499 tty=(none) ses=4294967295 comm="asterisk" exe="/usr/sbin/asterisk" subj=system_u:system_r:asterisk_t:s0 key=(null)

And the suggested solution:

grep 1398714585.445:113 /var/log/audit/audit.log | audit2allow -M asterisk-agi && cat asterisk-agi.te
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i asterisk-agi.pp


module asterisk-agi 1.0;

require {
	type asterisk_var_lib_t;
	type asterisk_t;
	class file execute;
}

#============= asterisk_t ==============
allow asterisk_t asterisk_var_lib_t:file execute;


If you need more information please let me know. Thanks!

Comment 2 Daniel Walsh 2014-05-03 11:25:06 UTC

Does asterisk need to be able to write these files as well as execute them?

Comment 3 Patrick Laimbock 2014-05-03 12:14:49 UTC

AFAIK no (I can't think of a use case). Both Asterisk and an agi-bin script should be able to write to /var/spool/asterisk/{monitor,outgoing,tmp,uploads,voicemail}/

Similar to a cgi-bin script, an agi-bin script should also be able to for example write to /tmp, read sound files from /var/lib/asterisk/sounds/, access MySQL, libs, etc..

Comment 4 Miroslav Grepl 2014-05-05 08:28:15 UTC

Is 

/var/lib/asterisk/agi-bin

the default location for these executables? Could you try to execute

# chcon -R -t bin_t /var/lib/asterisk/agi-bin

Comment 5 Patrick Laimbock 2014-05-05 17:32:59 UTC

Steps: chcon -R -t bin_t /var/lib/asterisk/agi-bin

ls -Z /var/lib/asterisk | grep agi-bin
drwxr-x---. asterisk asterisk system_u:object_r:bin_t:s0       agi-bin

Result: problem went away

Made a call to an extension which executes test.agi and the test.agi script is properly executed, no AVC to be seen.

Comment 6 Daniel Walsh 2014-05-05 18:34:46 UTC

Patrick is this a standard directory or something you created?

Comment 7 Patrick Laimbock 2014-05-05 20:22:37 UTC

It was created by 'make install' during rpmbuild. The answer to wether this is a standard directory depends on who you ask. The Asterisk EPEL RPMs use '/usr/share/asterisk/agi-bin' while Digium's Asterisk RPMs use '/var/lib/asterisk/agi-bin' by default. So who's right?

I went through the FHS 2.3 and it says in 4.11 that /usr/share is for Architecture-independant data while in 5.8.4 it says that /var/lib/ is for Variable state information. It seems neither location is the proper place for an agi-bin directory with (arch dependant) scripts?

http://www.pathname.com/fhs/pub/fhs-2.3.pdf

And agi-bin is not the only directory in a different location in the EPEL and Digium Asterisk RPMs.

EPEL Asterisk 11 RPMs:

/var/lib/asterisk/     <-- empty
/usr/share/asterisk/agi-bin
/usr/share/asterisk/documentation
/usr/share/asterisk/firmware
/usr/share/asterisk/images
/usr/share/asterisk/keys
/usr/share/asterisk/moh
/usr/share/asterisk/phoneprov
/usr/share/asterisk/sounds
/usr/share/asterisk/static-http

Digium's Asterisk 11 RPMs:

/var/lib/asterisk/agi-bin
/var/lib/asterisk/documentation
/var/lib/asterisk/images
/var/lib/asterisk/keys
/var/lib/asterisk/licenses
/var/lib/asterisk/phoneprov
/var/lib/asterisk/static-http

Any ideas what the proper location for the agi-bin etc. directories should be? Unless that's clear, discussing the AVC is moot. Apologies for the can of worms :P

Comment 8 Miroslav Grepl 2014-05-12 12:01:40 UTC

Ok so 

rpm -qf /usr/share/asterisk/agi-bin
rpm -qf /var/lib/asterisk/agi-bin

cmds give us asterisk pkg.

Comment 9 Patrick Laimbock 2014-05-15 23:11:51 UTC

After discussing the proper location, the /usr/share/asterisk/agi-bin location is the best (less worst) one. That location is already used in the Asterisk EPEL package so should probably be the target of any SELinux fixes/enhancements.

About my comment 5: I just ran a more complex agi script that contacts a Google service and that resulted in another AVC. So the chcon -R -t bin_t /usr/share/asterisk/agi-bin trick is not always sufficient. With a quick setenforce 0 the script worked fine.

The AVC was:

type=AVC msg=audit(1400194792.258:294): avc:  denied  { name_connect } for  pid=2913 comm="perl" dest=80 scontext=unconfined_u:system_r:asterisk_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket

Which results in:

$ sudo grep 1400194792.258:294 /var/log/audit/audit.log | audit2allow -M asterisk-agi && cat asterisk-agi.te
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i asterisk-agi.pp


module asterisk-agi 1.0;

require {
	type http_port_t;
	type asterisk_t;
	class tcp_socket name_connect;
}

#============= asterisk_t ==============

#!!!! This avc can be allowed using the boolean 'allow_ypbind'
allow asterisk_t http_port_t:tcp_socket name_connect;

Comment 10 Daniel Walsh 2014-05-17 10:10:06 UTC

42918d15f7e12bee011180d67aff30136bd08cec fixes this in git.

Comment 11 Lukas Vrabec 2014-06-02 14:34:18 UTC

I'll send patch to Miroslav.

Comment 13 Milos Malik 2014-07-24 18:31:04 UTC

Asterisk is not able to execute any file that is located in following directories, because of default labeling:

# matchpathcon /usr/share/asterisk/agi-bin
/usr/share/asterisk/agi-bin     system_u:object_r:usr_t:s0
# matchpathcon /var/lib/asterisk/agi-bin
/var/lib/asterisk/agi-bin       system_u:object_r:asterisk_var_lib_t:s0
#

Could we change the default labels to bin_t or lib_t? Could we create a special type for asterisk scripts?

Comment 14 Patrick Laimbock 2014-07-28 14:40:08 UTC

Milos: not sure what you are asking (me?). Is the patch that Dan mentioned in comment #10 not the fix? My SELinux foo is insufficient to comment on your question about the proper label.

Comment 15 Milos Malik 2014-07-28 14:56:19 UTC

The patch, that Dan mentioned in comment#10, fixes the AVC from comment#9, but does not fix the AVC from comment#0.

# matchpathcon /var/lib/asterisk/agi-bin
/var/lib/asterisk/agi-bin       system_u:object_r:asterisk_var_lib_t:s0
# sesearch -s asterisk_t -t asterisk_var_lib_t -c file -p execute --allow

# matchpathcon /usr/share/asterisk/agi-bin
/usr/share/asterisk/agi-bin     system_u:object_r:usr_t:s0
# sesearch -s asterisk_t -t usr_t -c file -p execute --allow

#

Comment 16 Lukas Vrabec 2014-08-14 11:17:49 UTC

patch sent.

Comment 19 Patrick Laimbock 2014-08-22 14:57:32 UTC

I tested selinux-policy-3.7.19-251.el6 which dwalsh kindly made available.

Steps:
$ sudo yum install selinux*3.7.19-251*
$ sudo restorecon -v -F -R /usr/share/asterisk
$ ls -Z /usr/share/asterisk/agi-bin/googletts/
-rwxr-xr-x. asterisk asterisk system_u:object_r:bin_t:s0       googletts.agi

Made a call to an extensions that launches the googletts script to convert some text to speech and play that back:

- Launched AGI Script /usr/share/asterisk/agi-bin/googletts/googletts.agi
    -- Playing '/tmp/ggl_MK9_qC' (escape_digits=) (sample_offset 0)
    -- <SIP/1000-0000001e>AGI Script googletts/googletts.agi completed, returning 0

Result: success & no more AVC

BZ can be closed. Thank you!

Comment 20 errata-xmlrpc 2014-10-14 08:02:04 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1568.html

Note You need to log in before you can comment on or make changes to this bug.