Fedora Linux Support Community & Resources Center

Go Back   FedoraForum.org > Fedora 19/20 > Security and Privacy
FedoraForum Search

Forgot Password? Join Us!

Security and Privacy Sadly, malware, spyware, hackers and privacy threats abound in today's world. Let's be paranoid and secure our penguins, and slam the doors on privacy exploits.

Reply
 
Thread Tools Search this Thread Display Modes
  #1  
Old 19th June 2012, 05:57 PM
d0gf Offline
Registered User
 
Join Date: Jul 2007
Location: Latvia
Posts: 17
linuxfedorafirefox
"Missing" AVC denials (F17)

Hi,

For some background, I'm trying to get Asterisk to work with the stock ISDN drivers (ie. misdn 2.0 instead of dahdi). This works by running LCR, which handles the ISDN stuff (and can be used as a standalone ISDN PBX), in parallel with Asterisk. The two communicate with each other using a UNIX socket, and with the kernel using ISDN sockets.

After some fiddling I managed to make the control part (handled over the UNIX socket) to work using a custom policy for the Asterisk module, but I still get no audio if SELinux is set to enforcing. Switching to permissive mode gives me audio, but in both cases there are no AVC denials.

Any ideas?

Both Asterisk and LCR are started via systemd. I did not bother to write a policy module for LCR, so it is running as system_u:system_r:initrc_t:s0 (which seems to be working fine). The Asterisk policy module is quite simple:

Code:
policy_module(asterisk_lcr,1.0.0)

require {
    type var_run_t;
    type asterisk_t;
    type initrc_t;
    class sock_file write;
    class socket { create bind };
    class unix_stream_socket connectto;
}


#####################################################
# Allow Asterisk (via chan_lcr.so) to connect to    #
# /var/run/lcr/LCR.socket                           #
#####################################################

allow asterisk_t initrc_t:unix_stream_socket connectto;
allow asterisk_t var_run_t:sock_file write;
allow asterisk_t self:socket { create bind };
__________________
:wq
Reply With Quote
  #2  
Old 20th June 2012, 09:56 AM
domg472 Offline
SELinux Contributor
 
Join Date: May 2008
Posts: 623
linuxfirefox
Re: "Missing" AVC denials (F17)

Some things are silently denied on purpose because the author of the policy config does not encourage allowing the particular access.

You can build the policy configuration with the "dontaudit" rules removed by running "semodule -DB". This will expose any hidden denials. To build the policy configuration with the "dontaudit" rules re-insterted run "semodule -B"

If you want help writing proper policy for your setup then you are welcome to join #fedora-selinux on irc.freenode.org and to "/query grift".
I will be willing to write the policy for you if you provide feedback and do testing.
__________________
Come join us on #fedora-selinux on irc.freenode.org
http://docs.fedoraproject.org/selinu...ide/f10/en-US/
Reply With Quote
  #3  
Old 22nd June 2012, 06:11 PM
d0gf Offline
Registered User
 
Join Date: Jul 2007
Location: Latvia
Posts: 17
linuxfedorafirefox
Re: "Missing" AVC denials (F17)

Thanks!

I suspected that dontaudit is hiding things, but for some reason I missed the those two commands. The SELinux FAQ entry gives semodule -b /usr/share/selinux/targeted/enableaudit.pp as the command to turn off dontaudit rules, but there is no such file on F17.
__________________
:wq
Reply With Quote
  #4  
Old 22nd June 2012, 06:16 PM
domg472 Offline
SELinux Contributor
 
Join Date: May 2008
Posts: 623
linuxfirefox
Re: "Missing" AVC denials (F17)

Yes thats old (fc6/rhel5), semodule -DB/-B is the replacement
__________________
Come join us on #fedora-selinux on irc.freenode.org
http://docs.fedoraproject.org/selinu...ide/f10/en-US/
Reply With Quote
Reply

Tags
asterisk, avc, avc denial, denials, f17, missing, selinux

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Update errors: "missing attribute" and "Error in PREIN scriptlet" nimnull22 Fedora 13 Development Branch 3 28th April 2010 07:02 AM
Metacity and "Xlib: extension "SHAPE" missing on display ":0.0". debu_sagii Using Fedora 0 29th August 2007 05:53 PM
xlib:extension "xfree86-misc" missing on display ":0:0" Sicily1918 Using Fedora 4 3rd January 2007 08:30 PM
Fglrx driver install - "direct rendering: No", Xlib: extension "XFree86-DRI" missing Squeaks Hardware & Laptops 9 21st October 2006 12:10 PM
error message say; Xlib: extension "XFree86-DRI" missing on display ":0.0". sturmkim Using Fedora 3 1st October 2006 04:40 AM


Current GMT-time: 05:31 (Friday, 18-04-2014)

TopSubscribe to XML RSS for all Threads in all ForumsFedoraForumDotOrg Archive
logo

All trademarks, and forum posts in this site are property of their respective owner(s).
FedoraForum.org is privately owned and is not directly sponsored by the Fedora Project or Red Hat, Inc.

Privacy Policy | Term of Use | Posting Guidelines | Archive | Contact Us | Founding Members

Powered by vBulletin® Copyright ©2000 - 2012, vBulletin Solutions, Inc.

FedoraForum is Powered by RedHat