Re: [OpenSIPS-Users] solution to opensips control pannel MI connection using fifo on CentOS 5 - selinux audit2allow
Dave -
Thanks for sharing this! I had the exact same problem and hadn't figured
out a solution yet. Much appreciated.
Skyler
On Thu, Jan 13, 2011 at 5:51 PM, Dave Singer dave.sin...@wideideas.comwrote:
Banged my head for a while with why I couldn't get fifo working for the
Control Panel
I was getting sorry -- cannot open write fifo.
Hope this can help other and maybe even make it into the docs.
Found two problems.
1. Apache process couldn't use /tmp/opensips_fifo because the permissions
were prw-rw 1 root root
I fixed that temporarily by chmod o+rw /tmp/opensips
Unfortunately restarting opensips voids that fix unless you do chmod after
each start after the fifo is created
So I changed the user opensips runs as using the -u apache -g apache
options.
This solved my problem and made my system more safe from hackers through
sip messages.
2. SELinux (hate the good thing) was also blocking apache using it.
I did some googling and found some mention of disabling selinux. Tried that
and things worked.
So I tried that and whala! IT WORKED!!!
Now I was bummed cause I don't want to completely disable SELinux, pain
though it is.
So I finally broke down and looked into the docs on for SELinux and found
audit2allow. YEA
All you have to do to get SELinux to permantly allow something that should
happen is pipe the audit lines that show the problem from
/var/log/audit/audit.log (or /var/log/messages)
Since an app my stop trying things SELinux may block after an initial
rejection you want to set SELinux to permissive with
setenforce Permissive
Perform the actions like us the MI from opensips-cp stopped by selinux
before then you can use the logs to allow those specific actions.
I used less to find the specific lines then copied them into a file with
just those lines.
Here is an example with a file that only has the audit logs I want to
allow:
cat selinux_blocked_my_app | audit2allow -M opensipscp
semodule -i opensipscp.pp
That is it!!
I wanted to transport it to other servers and make it easy to do on an
install so I dug a little more and came up with this I can just cut and
paste:
cat opensipscp.te EOF
module opensipscp 1.0;
require {
type httpd_t;
type tmp_t;
class fifo_file { write getattr setattr read create unlink };
}
#= httpd_t ==
allow httpd_t tmp_t:fifo_file { write getattr setattr read create unlink };
EOF
checkmodule -M -m -o opensipscp.mod opensipscp.te
semodule_package -o opensipscp.pp -m opensipscp.mod
semodule -i opensipscp.pp
/bin/rm opensipscp.pp opensipscp.te opensipscp.mod
Be sure in config/boxes.global.inc.php you have (or what you have for the
fifo file)
$boxes[$box_id]['mi']['conn']=/tmp/opensips_fifo;
___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
[OpenSIPS-Users] solution to opensips control pannel MI connection using fifo on CentOS 5 - selinux audit2allow
Banged my head for a while with why I couldn't get fifo working for the
Control Panel
I was getting sorry -- cannot open write fifo.
Hope this can help other and maybe even make it into the docs.
Found two problems.
1. Apache process couldn't use /tmp/opensips_fifo because the permissions
were prw-rw 1 root root
I fixed that temporarily by chmod o+rw /tmp/opensips
Unfortunately restarting opensips voids that fix unless you do chmod after
each start after the fifo is created
So I changed the user opensips runs as using the -u apache -g apache
options.
This solved my problem and made my system more safe from hackers through sip
messages.
2. SELinux (hate the good thing) was also blocking apache using it.
I did some googling and found some mention of disabling selinux. Tried that
and things worked.
So I tried that and whala! IT WORKED!!!
Now I was bummed cause I don't want to completely disable SELinux, pain
though it is.
So I finally broke down and looked into the docs on for SELinux and found
audit2allow. YEA
All you have to do to get SELinux to permantly allow something that should
happen is pipe the audit lines that show the problem from
/var/log/audit/audit.log (or /var/log/messages)
Since an app my stop trying things SELinux may block after an initial
rejection you want to set SELinux to permissive with
setenforce Permissive
Perform the actions like us the MI from opensips-cp stopped by selinux
before then you can use the logs to allow those specific actions.
I used less to find the specific lines then copied them into a file with
just those lines.
Here is an example with a file that only has the audit logs I want to allow:
cat selinux_blocked_my_app | audit2allow -M opensipscp
semodule -i opensipscp.pp
That is it!!
I wanted to transport it to other servers and make it easy to do on an
install so I dug a little more and came up with this I can just cut and
paste:
cat opensipscp.te EOF
module opensipscp 1.0;
require {
type httpd_t;
type tmp_t;
class fifo_file { write getattr setattr read create unlink };
}
#= httpd_t ==
allow httpd_t tmp_t:fifo_file { write getattr setattr read create unlink };
EOF
checkmodule -M -m -o opensipscp.mod opensipscp.te
semodule_package -o opensipscp.pp -m opensipscp.mod
semodule -i opensipscp.pp
/bin/rm opensipscp.pp opensipscp.te opensipscp.mod
Be sure in config/boxes.global.inc.php you have (or what you have for the
fifo file)
$boxes[$box_id]['mi']['conn']=/tmp/opensips_fifo;
___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
