Gentoo Archives: gentoo-hardened

From: Nico Baggus <gentoo@×××××××××××.nl>
To: gentoo-hardened@l.g.o
Subject: [gentoo-hardened] Asterisk...
Date: Thu, 03 Nov 2011 01:25:40
Message-Id: 201111030224.47326.gentoo@noci.xs4all.nl
1 This fixed quite some messages.
2
3 module astnb 1.0;
4
5 require {
6 type var_run_t;
7 type var_log_t;
8 type asterisk_t;
9 type var_spool_t;
10 type initrc_t;
11 type var_lib_t;
12 type sysadm_t;
13 type asterisk_log_t;
14 type initrc_var_run_t;
15 type asterisk_var_run_t;
16 class socket { write read };
17 class process setpgid;
18 class unix_stream_socket { connectto accept listen };
19 class capability { dac_read_search chown };
20 class file { rename setattr read create write getattr link unlink open append };
21 class sock_file { write create unlink };
22 class dir { read write add_name setattr remove_name };
23 }
24
25 #============= asterisk_t ==============
26 allow asterisk_t initrc_t:unix_stream_socket connectto;
27 allow asterisk_t initrc_var_run_t:file { write getattr };
28 allow asterisk_t self:capability { dac_read_search chown };
29 allow asterisk_t self:process setpgid;
30 allow asterisk_t self:socket { write read };
31 allow asterisk_t self:unix_stream_socket { accept listen };
32 allow asterisk_t var_lib_t:file { read write getattr open };
33 allow asterisk_t var_log_t:file { getattr open append };
34 allow asterisk_t var_run_t:dir setattr;
35 allow asterisk_t var_run_t:sock_file { write create unlink };
36 allow asterisk_t var_spool_t:dir { read write add_name remove_name };
37 allow asterisk_t var_spool_t:file { rename write getattr link create unlink open };
38
39 #============= initrc_t ==============
40 allow initrc_t asterisk_log_t:file setattr;
41 allow initrc_t asterisk_var_run_t:file setattr;
42 allow initrc_t var_run_t:dir setattr;
43
44 #============= sysadm_t ==============
45 allow sysadm_t asterisk_t:unix_stream_socket connectto