[Asterisk-Dev] SELinux and Asterisk
steve szmidt
steve at szmidt.org
Wed Nov 10 08:12:12 MST 2004
Hi,
With the release of FC3 SELinux is now enabled by default on Fedora.
For more details see http://fedora.redhat.com/docs/selinux-faq-fc3/
This is a great method of adding granular security to Linux.
As no policies probably exists at this point (for Asterisk) I realize that
it's a good idea to start the design of the neccessary policies. However,
SELinux is not for the faint of heart, and with the limiting/crippling
abilities that it has, I thought it a good idea if we try to poll the
efforts.
Looking a bit further on this I also realize that a specific security related
list is a possible route to take. For nothing but keeping it more accessable
and focused.
I also realize that we have not really seen much noise from this particular
area, but as anyone with security experience can say that does not mean we do
not have potential holes. The Best Practice outlook suggests establishing
guidelines for any service running on a server.
To this end many of us take extra precautions as to limit a possible
violation. SELinux brings with it a long needed granular control over each
process, and in general makes a server much more secure. Thus making its
benefits obvious to anyone who has a server available online.
The sheer volume and noise in Users makes it a hard place to conduct such
coordination. Being forced to keep up with the volume just to see what might
relate to any particular needs and interests is, as you all know, very time
consuming.
The process and experience of establishing and using various security modules
and methods will obviously have it's own share of problems. As it is so
different and yet demands particular attention to details, I want to check
for interest in creating and working with a security list for Asterisk. One
could use the Developer list but I don't think that's really the best place
either as it is not related to developing Asterisk.
(As it might require coordination with developers too, I have CC'd that list.
Where they can put their thought on the subject stricktly from their point of
view as developers.)
A security list would obviously carry all issues related to securing an
Asterisk box, and as such ought to be with digium, but if some issues for
some reason makes that undesirable, I might entertain the option of hosting
it on a seperate server.
--
Steve Szmidt
"They that would give up essential liberty for temporary safety
deserve neither liberty nor safety."
Benjamin Franklin
More information about the asterisk-dev
mailing list