[Asterisk-Dev] SELinux and Asterisk

steve szmidt steve at szmidt.org
Wed Nov 10 08:12:12 MST 2004


Hi,

With the release of FC3 SELinux is now enabled by default on Fedora. 

For more details see http://fedora.redhat.com/docs/selinux-faq-fc3/

This is a great method of adding granular security to Linux.

As no policies probably exists at this point (for Asterisk) I realize that 
it's a good idea to start the design of the neccessary policies. However, 
SELinux is not for the faint of heart, and with the limiting/crippling 
abilities that it has, I thought it a good idea if we try to poll the 
efforts.

Looking a bit further on this I also realize that a specific security related 
list is a possible route to take. For nothing but keeping it more accessable 
and focused.

I also realize that we have not really seen much noise from this particular 
area, but as anyone with security experience can say that does not mean we do 
not have potential holes. The Best Practice outlook suggests establishing 
guidelines for any service running on a server.

To this end many of us take extra precautions as to limit a possible 
violation. SELinux brings with it a long needed granular control over each 
process, and in general makes a server much more secure. Thus making its 
benefits obvious to anyone who has a server available online.

The sheer volume and noise in Users makes it a hard place to conduct such 
coordination. Being forced to keep up with the volume just to see what might 
relate to any particular needs and interests is, as you all know, very time 
consuming. 

The process and experience of establishing and using various security modules 
and methods will obviously have it's own share of problems. As it is so 
different and yet demands particular attention to details, I want to check 
for interest in creating and working with a security list for Asterisk. One 
could use the Developer list but I don't think that's really the best place 
either as it is not related to developing Asterisk. 

(As it might require coordination with developers too, I have CC'd that list. 
Where they can put their thought on the subject stricktly from their point of 
view as developers.)

A security list would obviously carry all issues related to securing an 
Asterisk box, and as such ought to be with digium, but if some issues for 
some reason makes that undesirable, I might entertain the option of hosting 
it on a seperate server. 

-- 

Steve Szmidt

"They that would give up essential liberty for temporary safety 
deserve neither liberty nor safety."
                                Benjamin Franklin



More information about the asterisk-dev mailing list