Hello, if I understand you correctly, you are referring to SELinux and the fact that there is no SELinux policy for Kamailio on the system available.
There is no SELinux policy that is provided from the Kamailio project. I am not aware of existing policy that you could use, maybe some distributions provide something. If this is a hard requirement, you can create a policy for Kamailio from your side. Have a look e.g. to https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/writing-a-custom-selinux-policy_using-selinux for some pointers. If you've created something, it would be great if you could share somewhere. In this case we might be able to include this in the Kamailio project, if appropriate. Cheers, Henning [https://access.redhat.com/webassets/avalon/g/shadowman-200.png]<https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/writing-a-custom-selinux-policy_using-selinux> Chapter 8. Writing a custom SELinux policy Red Hat Enterprise Linux 8 - Red Hat Customer Portal<https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/writing-a-custom-selinux-policy_using-selinux> An SELinux security policy is a collection of SELinux rules. A policy is a core component of SELinux and is loaded into the kernel by SELinux user-space tools. access.redhat.com ________________________________ Von: sr-users <[email protected]> im Auftrag von HimaBindu G <[email protected]> Gesendet: Mittwoch, 10. August 2022 08:35 An: [email protected] <[email protected]> Betreff: [SR-Users] Kamailio has unconfined processes Hi, Problem Description: Customer security scan returned unconfined services on Kamailio. Unconfined processes run in unconfined domains Rationale: For unconfined processes, SELinux policy rules are applied, but policy rules exist that allow processes running in unconfined domains almost all access. Processes running in unconfined domains fall back to using DAC rules exclusively. If an unconfined process is compromised, SELinux does not prevent an attacker from gaining access to system resources and data, but of course, DAC rules are still used. SELinux is a security enhancement on top of DAC rules - it does not replace them Solution Investigate any unconfined processes found during the audit action. They may need to have an existing security context assigned to them or a policy built for them. Notes: Occasionally certain daemons such as backup or centralized management software may require running unconfined. Any such software should be carefully analyzed and documented before such an exception is made. See Also https://workbench.cisecurity.org/files/2485 For Kamailio ====== The command returned : 00 kamailio 00 kamailio 00 kamailio 00 kamailio 00 kamailio 10 kamailio 10 kamailio 10 kamailio 10 kamailio 00 kamailio 00 kamailio 00 kamailio 00 kamailio 33 kamailio 33 kamailio 33 kamailio 32 kamailio 17 kamailio 16 kamailio 33 kamailio 00 kamailio 00 kamailio 03 kamailio 05 kamailio 18 kamailio 17 kamailio 18 kamailio 18 kamailio 07 kamailio 00 sleep is any security context available to assign kamailio processes ? theses services can be run as confined services ? Please suggest us with resolution, thanks in advance. Thanks & Regards, Hima Bindu.
__________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions * [email protected] Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe: * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
