[asterisk-users] Asterisk installation script on CentOS7 with systemd [SOLVED]

Mon Dec 19 10:58:28 CST 2016

Le 19/12/2016 à 17:10, Olivier a écrit :
>
>
> 2016-12-19 16:11 GMT+01:00 Jean Aunis <jean.aunis at prescom.fr 
> <mailto:jean.aunis at prescom.fr>>:
>
>     Le 19/12/2016 à 15:54, Olivier a écrit :
>>     <snip>
>>
>>     Running systemctl start asterisk fails with :
>>     Dec 19 15:43:08 foobar systemd: PID file
>>     /var/run/asterisk/asterisk.pid not readable (yet?) after start.
>>     Dec 19 15:43:09 foobar systemd: asterisk.service: main process
>>     exited, code=exited, status=1/FAILURE
>>     Dec 19 15:43:09 foobar asterisk: Unable to connect to remote
>>     asterisk (does /var/run/asterisk/asterisk.ctl exist?)
>>     Dec 19 15:43:09 foobar systemd: asterisk.service: control process
>>     exited, code=exited status=1
>>     Dec 19 15:43:09 foobar systemd: Unit asterisk.service entered
>>     failed state.
>>     Dec 19 15:43:09 foobar systemd: asterisk.service failed.
>>
>>
>>     But /usr/sbin/asterisk -vvvgF -U asterisk -G asterisk -C
>>     /etc/asterisk/asterisk.conf succeeds:
>>     # rasterisk
>>     Asterisk 13.13.1, Copyright (C) 1999 - 2014, Digium, Inc. and others.
>>     ...
>>     =========================================================================
>>     Running as user 'asterisk'
>>     Running under group 'asterisk'
>>     Connected to Asterisk 13.13.1 currently running on ...
>>
>>     Any hint or help on how to debug this ?
>>     (I tried with and without any /run/asterisk directory owned by
>>     asterisk.asterisk)
>>
>>
>>     Best regards
>>
>>
>
>     Hello,
>
>     Make sure that selinux is disabled, or in "permissive" mode.
>     Otherwise it will prevent asterisk from starting.
>
>
> Thanks for the tip:
> changing to permissive mode made it !
>
> Using methods suggested in [1], do you think its possible and worth 
> the effort to configure SELinux to work with Asterisk/Systemd in 
> Enforcing mode ?
> A quick look in various tuto all disable SELinux.
>
>
>
> [1] https://wiki.centos.org/HowTos/SELinux
>

I never spent time to figure out how selinux should be configured for 
Asterisk, but it is certainly possible to do something clean about that. 
I noticed that, when I install Asterisk with a custom-made RPM package, 
SELinux will stop blocking it. I guess RPM has some magic embedded into 
it to configure SELinux with the proper rules.

Still, is it worth the effort ? Probably not if you consider Asterisk 
alone : as it is running with the unprivileged user asterisk, the 
standard Linux permissions will protect your system if Asterisk is attacked.
But considering your system as a whole, disabling selinux may not be a 
good idea : other processes may required to be secured with the selinux 
stuff.

I'm not an IT security expert, so please consider what I wrote above 
with caution.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20161219/00bec7e0/attachment.html>