0

I am running Asterisk on Fedora 23 and am using the voicemail IMAP module to store voicemails to Gmail. When SELinux is in enforcing mode it prevents Asterisk from connecting to Gmail. Here is the error message from /var/log/audit/audit.log:

type=AVC msg=audit(1460344333.315:70807): avc:  denied  { name_connect } for  pid=823 comm="asterisk" dest=993 scontext=system_u:system_r:asterisk_t:s0 tcontext=system_u:object_r:pop_port_t:s0 tclass=tcp_socket permissive=0

Because of this I have been forced to put SELinux in permissive mode. How can I fix SELinux to stop blocking Asterisk from making the outbound connection?

user553702
  • 121
  • 1
  • 5

1 Answers1

2

You need to create custom SELinux policy and apply it on your system. Looks like asterisk can't open tcp_socket on 993 port so policy might be:

#cat asterpolicy.te   
module asterpolicy 1.0
require {
          type asterisk_t
          type pop_port_t;
          class tcp_socket name_connect;
}
#============= asterisk_t ==============
allow asterisk_t pop_port_t:tcp_socket name_connect;

After that compile and enable your policy

checkmodule -M -m asterpolicy.te -o asterpolicy.mod
semodule_package -o asterpolicy.pp -m asterpolicy.mod
semodule -i asterpolicy.pp

If you'll still have more problems with SELinux - try audit2why to see what kinds of violations would have been denied, and build custom policies with audit2allow.

PS: First, i missed string with

module asterpolicy 1.0

So, updated it.

Anton Makovetsky
  • 361
  • 1
  • 8
  • Didn't work. I tried making the asterpolicy.te file and running the "checkmodule" command as shown, and I got this error: checkmodule -M -m asterpolicy.te -o asterpolicy.mod checkmodule: loading policy configuration from asterpolicy.te asterpolicy.te:2:ERROR 'Building a policy module, but no module specification found. ' at token 'require' on line 2: require { checkmodule: error(s) encountered while parsing configuration – user553702 Apr 11 '16 at 16:43
  • 1
    I tried audit2why and pasted in the log message, and it said this was caused by the boolean nis_enabled being set incorrectly and that I needed to run "setsebool -P nis_enabled 1". I did this and it seemed to work! I'm not sure what NIS (Network Information Service) has anything to do with Asterisk connecting to an IMAP server. But thankfully it seems that enabling that boolean solved my issue. – user553702 Apr 11 '16 at 20:52
  • Yes, I missed first line in policy script, sorry. There must be on the first line: module asterpolicy 1.0; – Anton Makovetsky Apr 12 '16 at 06:45