| Summary: | ASTERISK-28770: res_pjsip: AVC denial with default SELinux setup on CentOS 7 | ||
| Reporter: | Corey Farrell (coreyfarrell) | Labels: | |
| Date Opened: | 2020-03-05 11:33:31.000-0600 | Date Closed: | 2020-03-05 13:44:29.000-0600 |
| Priority: | Minor | Regression? | |
| Status: | Closed/Complete | Components: | Resources/res_pjsip |
| Versions: | 13.31.0 | Frequency of Occurrence | |
| Related Issues: | |||
| Environment: | Linux 3.10.0-1062.12.1.el7.x86_64 #1 SMP Tue Feb 4 23:02:59 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux | Attachments: | ( 0) res_pjsip.te.txt |
| Description: | When starting Asterisk under CentOS 7 I get the following audit log message:
{noformat} type=AVC msg=audit(1583334492.502:2469): avc: denied { search } for pid=28909 comm="asterisk" name="net" dev="proc" ino=1405 scontext=system_u:system_r:asterisk_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir permissive=0 {noformat} I have isolated this to res_pjsip.so by setting {{autoload=no}} and loading modules one at a time. Unknown when this problem started, 13.31.0 is the first version I've tried chan_pjsip. I haven't noticed any problems caused by the AVC denial though I'm positive many features of chan_pjsip are going unused in my deployment. Asterisk is being executed by systemd: {code:none} [Unit] Description=Asterisk PBX and telephony daemon. After=network.target [Service] Type=simple Environment=HOME=/var/lib/asterisk WorkingDirectory=/var/lib/asterisk User=asterisk Group=asterisk ExecStart=/usr/sbin/asterisk -mqf -C /etc/asterisk/asterisk.conf ExecStop=/usr/sbin/asterisk -rx 'core stop now' ExecReload=/usr/sbin/asterisk -rx 'core reload' LimitCORE=infinity StandardOutput=null PrivateTmp=true [Install] WantedBy=multi-user.target {code} | ||
| Comments: | By: Corey Farrell (coreyfarrell) 2020-03-05 13:05:47.991-0600 I've attached the result of iterating all avc denials using audit2allow, attached is the TE for a {{res_pjsip}} semodule. While iterating the issue I found that it was trying to read {{/proc/sys/net/ipv6/conf/all/disable_ipv6}} which does not seem unreasonable, so probably best to allow this instead of silencing it. By: Corey Farrell (coreyfarrell) 2020-03-05 13:44:29.781-0600 See RHEL bug for details including an attachment with SELinux rules to fix the issue. | ||