[asterisk-bugs] [JIRA] (ASTERISK-28770) res_pjsip: AVC denial with default SELinux setup on CentOS 7

Corey Farrell (JIRA) noreply at issues.asterisk.org
Thu Mar 5 13:07:25 CST 2020 

     [ https://issues.asterisk.org/jira/browse/ASTERISK-28770?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Corey Farrell updated ASTERISK-28770:
-------------------------------------

    Attachment: res_pjsip.te.txt

I've attached the result of iterating all avc denials using audit2allow, attached is the TE for a {{res_pjsip}} semodule.  While iterating the issue I found that it was trying to read {{/proc/sys/net/ipv6/conf/all/disable_ipv6}} which does not seem unreasonable, so probably best to allow this instead of silencing it.

> res_pjsip: AVC denial with default SELinux setup on CentOS 7
> ------------------------------------------------------------
>
>                 Key: ASTERISK-28770
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-28770
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Resources/res_pjsip
>    Affects Versions: 13.31.0
>         Environment: Linux 3.10.0-1062.12.1.el7.x86_64 #1 SMP Tue Feb 4 23:02:59 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
>            Reporter: Corey Farrell
>            Severity: Minor
>         Attachments: res_pjsip.te.txt
>
>
> When starting Asterisk under CentOS 7 I get the following audit log message:
> {noformat}
> type=AVC msg=audit(1583334492.502:2469): avc:  denied  { search } for  pid=28909 comm="asterisk" name="net" dev="proc" ino=1405 scontext=system_u:system_r:asterisk_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir permissive=0
> {noformat}
> I have isolated this to res_pjsip.so by setting {{autoload=no}} and loading modules one at a time.  Unknown when this problem started, 13.31.0 is the first version I've tried chan_pjsip.  I haven't noticed any problems caused by the AVC denial though I'm positive many features of chan_pjsip are going unused in my deployment.
> Asterisk is being executed by systemd:
> {code:none}
> [Unit]
> Description=Asterisk PBX and telephony daemon.
> After=network.target
> [Service]
> Type=simple
> Environment=HOME=/var/lib/asterisk
> WorkingDirectory=/var/lib/asterisk
> User=asterisk
> Group=asterisk
> ExecStart=/usr/sbin/asterisk -mqf -C /etc/asterisk/asterisk.conf
> ExecStop=/usr/sbin/asterisk -rx 'core stop now'
> ExecReload=/usr/sbin/asterisk -rx 'core reload'
> LimitCORE=infinity
> StandardOutput=null
> PrivateTmp=true
> [Install]
> WantedBy=multi-user.target
> {code}



--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list