[sipX-dev] Adding SELinux installation to sipxecs.

Fri, 29 Aug 2008 02:34:34 -0700 

In preparation for adding support of SELinux to sipxecs, I am in the
process of coming up with a plan on how to install the policy.

 

I have created a SELinux Policy for sipxecs. The source policy file is
called: sipxecs.te. The policy binary is called: sipxecs.pp. I plan to
have both of these files as part of the build. This will allow anyone to
make specific changes to the source policy (.te file) and re-build it.
The first question is where should I locate these files in the build?

 

The SELinux install procedure is as follows:

 

1.      I plan to change sipx_reset_cd to ask at the end if the
installer would like to enable/disable SELinux (I think this was in a
previous version of sipx_reset_cd) but has since been removed. If the
installer answers yes, then the following occurs:

In file: etc/selinux/config

Change the following line 

            From:

SELINUX=disabled

                        To: 

                                    SELINUX=enforcing

 

            Run the command: touch /.autorelabel and reboot.

 

2.      I plan to add code to /etc/init.d/sipxpbx to do the following:

        a.      Check if SELinux is enabled.
        b.      If it is then  check to see if sipxecs.pp is loaded
(using semodule -l)
        c.      If this is not loaded, the load it using command:
semodule -i

This means that the first time sipxpbx is run after the initial install,
it will install the sipxecs.pp. It will only need to do this once.

 

Note: We need to autorelabel all of the files on the system at bootup
(i.e. step 1) , before we can install any new policies. This is why I
need to add the code to install the sipxecs.pp policy to the sipxpbx
file. 

 

Note: I will also include instructions in the sipxecs.te source policy
on how to build and reload the policy if required.

 

Is this the best approach? If everyone is in agreement, I will generate
a patch for this.

 

At a later stage we may decide to add a sipxconfig control to this,
although this will mean having to reboot the system every time SELinux
is enabled/disabled. I think this is the first component on sipxecs that
will require this.

 

Paul.

 

 


_______________________________________________
sipx-dev mailing list
[email protected]
List Archive: http://list.sipfoundry.org/archive/sipx-dev
Unsubscribe: http://list.sipfoundry.org/mailman/listinfo/sipx-dev

Reply via email to