[OpenSIPS-Users] solution to opensips control pannel MI connection using fifo on CentOS 5 - selinux audit2allow

Skyler skchopperguy at gmail.com
Tue Jan 18 11:38:08 CET 2011


Dave -

 Thanks for sharing this! I had the exact same problem and hadn't figured
out a solution yet. Much appreciated.

Skyler

On Thu, Jan 13, 2011 at 5:51 PM, Dave Singer <dave.singer at wideideas.com>wrote:

> Banged my head for a while with why I couldn't get fifo working for the
> Control Panel
> I was getting "sorry -- cannot open write fifo".
>
> Hope this can help other and maybe even make it into the docs.
> Found two problems.
>
> 1. Apache process couldn't use /tmp/opensips_fifo because the permissions
> were prw-rw---- 1 root root
> I fixed that temporarily by chmod o+rw /tmp/opensips
> Unfortunately restarting opensips voids that fix unless you do chmod after
> each start after the fifo is created
> So I changed the user opensips runs as using the -u apache -g apache
> options.
> This solved my problem and made my system more safe from hackers through
> sip messages.
>
> 2. SELinux (hate the good thing) was also blocking apache using it.
> I did some googling and found some mention of disabling selinux. Tried that
> and things worked.
> So I tried that and whala! IT WORKED!!!
> Now I was bummed cause I don't want to completely disable SELinux, pain
> though it is.
> So I finally broke down and looked into the docs on for SELinux and found
> audit2allow. YEA
> All you have to do to get SELinux to permantly allow something that should
> happen is pipe the audit lines that show the problem from
> /var/log/audit/audit.log (or /var/log/messages)
> Since an app my stop trying things SELinux may block after an initial
> rejection you want to set SELinux to permissive with
>   setenforce Permissive
> Perform the actions like us the MI from opensips-cp stopped by selinux
> before then you can use the logs to allow those specific actions.
> I used less to find the specific lines then copied them into a file with
> just those lines.
>
> Here is an example with a file that only has the audit logs I want to
> allow:
> cat selinux_blocked_my_app | audit2allow -M opensipscp
> semodule -i opensipscp.pp
>
> That is it!!
> I wanted to transport it to other servers and make it easy to do on an
> install so I dug a little more and came up with this I can just cut and
> paste:
>
> cat > opensipscp.te <<EOF
>
> module opensipscp 1.0;
>
> require {
>         type httpd_t;
>         type tmp_t;
>         class fifo_file { write getattr setattr read create unlink };
> }
>
> #============= httpd_t ==============
> allow httpd_t tmp_t:fifo_file { write getattr setattr read create unlink };
> EOF
>
> checkmodule -M -m -o opensipscp.mod opensipscp.te
> semodule_package -o opensipscp.pp -m opensipscp.mod
> semodule -i opensipscp.pp
> /bin/rm opensipscp.pp opensipscp.te opensipscp.mod
>
>
> Be sure in config/boxes.global.inc.php you have (or what you have for the
> fifo file)
>   $boxes[$box_id]['mi']['conn']="/tmp/opensips_fifo";
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20110118/c5cccad3/attachment.htm>


More information about the Users mailing list