From brian at freeswitch.org Mon Sep 9 06:04:40 2013 From: brian at freeswitch.org (Brian West) Date: Sun, 8 Sep 2013 21:04:40 -0500 Subject: [freeswitch-sec] So, This is what we've become? Message-ID: <26177AA9-4A0A-4EBA-B350-A21A2A4E1D1C@freeswitch.org> I sense you're lazy, Lets actually keep this moving along, AES-512 for RTP, 8192 for TLS... Anyone else sense that the status quo has been accepted? Thoughts? -- Brian West brian at freeswitch.org FreeSWITCH Solutions, LLC PO BOX PO BOX 2531 Brookfield, WI 53008-2531 Twitter: @FreeSWITCH_Wire , @briankwest http://www.freeswitchbook.com http://www.freeswitchcookbook.com T: +1.918.420.9001 | F: +1.918.420.9002 | M: +1.918.424.WEST iNUM: +883 5100 1420 9001 ISN: 410*543 Skype:briankwest PGP Key: http://www.bkw.org/key.txt (AB93356707C76CED) -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 1535 bytes Desc: Message signed with OpenPGP using GPGMail Url : http://lists.freeswitch.org/pipermail/freeswitch-sec/attachments/20130908/384ce0e8/attachment.bin From kris at kriskinc.com Mon Sep 9 19:10:15 2013 From: kris at kriskinc.com (Kristian Kielhofner) Date: Mon, 9 Sep 2013 11:10:15 -0400 Subject: [freeswitch-sec] FreeSWITCH selinux policy sponsorship Message-ID: Hello all, My company would like to sponsor the development of a proper selinux policy for FreeSWITCH. How should we get this going? -- Kristian Kielhofner From brian at freeswitch.org Mon Sep 9 19:20:49 2013 From: brian at freeswitch.org (Brian West) Date: Mon, 9 Sep 2013 10:20:49 -0500 Subject: [freeswitch-sec] FreeSWITCH selinux policy sponsorship In-Reply-To: References: Message-ID: <9EB90DD7-434F-4EFD-9B4E-4CC7ACBA6FE3@freeswitch.org> Kristian, I personally do not have any experience in this area, Maybe someone on the Dev/Users list would be interested in this topic? /b -- Brian West brian at freeswitch.org FreeSWITCH Solutions, LLC PO BOX PO BOX 2531 Brookfield, WI 53008-2531 Twitter: @FreeSWITCH_Wire , @briankwest http://www.freeswitchbook.com http://www.freeswitchcookbook.com T: +1.918.420.9001 | F: +1.918.420.9002 | M: +1.918.424.WEST iNUM: +883 5100 1420 9001 ISN: 410*543 Skype:briankwest PGP Key: http://www.bkw.org/key.txt (AB93356707C76CED) On Sep 9, 2013, at 10:10 AM, Kristian Kielhofner wrote: > Hello all, > > My company would like to sponsor the development of a proper selinux > policy for FreeSWITCH. How should we get this going? > > -- > Kristian Kielhofner > > _______________________________________________ > freeswitch-sec mailing list > freeswitch-sec at lists.freeswitch.org > http://lists.freeswitch.org/mailman/listinfo/freeswitch-sec -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 841 bytes Desc: Message signed with OpenPGP using GPGMail Url : http://lists.freeswitch.org/pipermail/freeswitch-sec/attachments/20130909/415b641d/attachment-0001.bin From brian at freeswitch.org Fri Sep 13 22:05:47 2013 From: brian at freeswitch.org (Brian West) Date: Fri, 13 Sep 2013 13:05:47 -0500 Subject: [freeswitch-sec] =?windows-1252?q?Friday_Call=85_don=27t_forget_t?= =?windows-1252?q?o_join_in!?= Message-ID: Don't forget the Friday Free For all is on... I'm here all alone waiting for you... how ever creepy that sounds! :P LOL -- Brian West brian at freeswitch.org FreeSWITCH Solutions, LLC PO BOX PO BOX 2531 Brookfield, WI 53008-2531 Twitter: @FreeSWITCH_Wire , @briankwest http://www.freeswitchbook.com http://www.freeswitchcookbook.com T: +1.918.420.9001 | F: +1.918.420.9002 | M: +1.918.424.WEST iNUM: +883 5100 1420 9001 ISN: 410*543 Skype:briankwest PGP Key: http://www.bkw.org/key.txt (AB93356707C76CED) -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 841 bytes Desc: Message signed with OpenPGP using GPGMail Url : http://lists.freeswitch.org/pipermail/freeswitch-sec/attachments/20130913/3ecee842/attachment.bin From bdfoster at davri.com Mon Sep 9 19:40:09 2013 From: bdfoster at davri.com (Brian Foster) Date: Mon, 9 Sep 2013 11:40:09 -0400 Subject: [freeswitch-sec] So, This is what we've become? In-Reply-To: <26177AA9-4A0A-4EBA-B350-A21A2A4E1D1C@freeswitch.org> References: <26177AA9-4A0A-4EBA-B350-A21A2A4E1D1C@freeswitch.org> Message-ID: I guess it needs to be higher now that the NSA can crack it. Thank you, Brian Foster Project Manager/Owner's Representative Davri Investments, Incorporated P: +1-317-787-2686 M: +1-317-600-9753 Indianapolis, Indiana On Sun, Sep 8, 2013 at 10:04 PM, Brian West wrote: > I sense you're lazy, Lets actually keep this moving along, AES-512 for > RTP, 8192 for TLS... > > Anyone else sense that the status quo has been accepted? Thoughts? > > -- > Brian West > brian at freeswitch.org > FreeSWITCH Solutions, LLC > PO BOX PO BOX 2531 > Brookfield, WI 53008-2531 > Twitter: @FreeSWITCH_Wire , @briankwest > http://www.freeswitchbook.com > http://www.freeswitchcookbook.com > > T: +1.918.420.9001 | F: +1.918.420.9002 | M: +1.918.424.WEST > iNUM: +883 5100 1420 9001 > ISN: 410*543 > Skype:briankwest > PGP Key: http://www.bkw.org/key.txt (AB93356707C76CED) > > > > > > > > > > > > > _______________________________________________ > freeswitch-sec mailing list > freeswitch-sec at lists.freeswitch.org > http://lists.freeswitch.org/mailman/listinfo/freeswitch-sec > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.freeswitch.org/pipermail/freeswitch-sec/attachments/20130909/a258b5a9/attachment.html From bdfoster at davri.com Sat Sep 14 02:06:32 2013 From: bdfoster at davri.com (Brian Foster) Date: Fri, 13 Sep 2013 18:06:32 -0400 Subject: [freeswitch-sec] =?windows-1252?q?Friday_Call=85_don=27t_forget_t?= =?windows-1252?q?o_join_in!?= In-Reply-To: References: Message-ID: Are you still there? Anyone? Brian David Foster | Computer Science Major | Purdue School of Science @ *IU PUI* Thank you, Brian Foster Project Manager/Owner's Representative Davri Investments, Incorporated P: +1-317-787-2686 M: +1-317-600-9753 Indianapolis, Indiana On Fri, Sep 13, 2013 at 2:05 PM, Brian West wrote: > Don't forget the Friday Free For all is on... I'm here all alone waiting > for you... how ever creepy that sounds! :P > > LOL > > -- > Brian West > brian at freeswitch.org > FreeSWITCH Solutions, LLC > PO BOX PO BOX 2531 > Brookfield, WI 53008-2531 > Twitter: @FreeSWITCH_Wire , @briankwest > http://www.freeswitchbook.com > http://www.freeswitchcookbook.com > > T: +1.918.420.9001 | F: +1.918.420.9002 | M: +1.918.424.WEST > iNUM: +883 5100 1420 9001 > ISN: 410*543 > Skype:briankwest > PGP Key: http://www.bkw.org/key.txt (AB93356707C76CED) > > > > > > > > > > > > > _______________________________________________ > freeswitch-sec mailing list > freeswitch-sec at lists.freeswitch.org > http://lists.freeswitch.org/mailman/listinfo/freeswitch-sec > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.freeswitch.org/pipermail/freeswitch-sec/attachments/20130913/761545cf/attachment.html From melcon at gmail.com Wed Sep 18 03:14:34 2013 From: melcon at gmail.com (Melcon Moraes) Date: Tue, 17 Sep 2013 20:14:34 -0300 Subject: [freeswitch-sec] subscribe Message-ID: -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.freeswitch.org/pipermail/freeswitch-sec/attachments/20130917/8d8b2215/attachment.html From herrold at owlriver.com Thu Sep 19 22:10:06 2013 From: herrold at owlriver.com (R P Herrold) Date: Thu, 19 Sep 2013 14:10:06 -0400 (EDT) Subject: [freeswitch-sec] FreeSWITCH selinux policy sponsorship In-Reply-To: <9EB90DD7-434F-4EFD-9B4E-4CC7ACBA6FE3@freeswitch.org> References: <9EB90DD7-434F-4EFD-9B4E-4CC7ACBA6FE3@freeswitch.org> Message-ID: On Mon, 9 Sep 2013, Brian West wrote: > I personally do not have any experience in this area, > Maybe someone on the Dev/Users list would be interested in > this topic? > On Sep 9, 2013, at 10:10 AM, Kristian Kielhofner wrote: >> My company would like to sponsor the development of a proper selinux >> policy for FreeSWITCH. How should we get this going? been travelling -- sorry for the delay in reply Hi, Kristian Writing SElinux rules that are durable is tied to getting repeatable packaging together (so that the binaries are predictably in the same places), and talking across the same network ports, etc. As FreeSwitch is somewhat a moving target, and not 'packaged' in a 'major' distribution's main line -- really, RHEL, CentOS or Fedora here -- a set of rules need to be crafted and maintained locally Are you using a packaging such as that from sipXecs / eZuce? If so, I can probably guide you through the ruleset generation. In which FS ML shall we do this? Cross-posting to three is probably rather rude ... fwiw, I've posted pretty sharply to the negative about pelple NOT using SELinux with FreeSwitch [1] in the past -- Russ herrold [1] http://orcorc.blogspot.com/2010/12/ripping-out-safeties.html From kris at kriskinc.com Thu Sep 19 22:38:19 2013 From: kris at kriskinc.com (Kristian Kielhofner) Date: Thu, 19 Sep 2013 14:38:19 -0400 Subject: [freeswitch-sec] FreeSWITCH selinux policy sponsorship In-Reply-To: References: <9EB90DD7-434F-4EFD-9B4E-4CC7ACBA6FE3@freeswitch.org> Message-ID: Hi Russ, Thanks for your input! As Ken has already said in a separate follow-up I believe FreeSWITCH has matured/settled down enough for formal rules to be included with the source. With that said I'm unfamiliar how SELinux rules are included/added to a given distro (and what SELinux differences there may be in between distros). I certainly understand the desire for integration with distro specific file locations but the vast, vast majority of FreeSWITCH installs are done using the standard layout installed to either /opt/freeswitch or /usr/local/freeswitch. I have no problem developing rules around these locations. Your thoughts? On Thu, Sep 19, 2013 at 2:10 PM, R P Herrold wrote: > On Mon, 9 Sep 2013, Brian West wrote: > >> I personally do not have any experience in this area, Maybe >> someone on the Dev/Users list would be interested in this topic? > > >> On Sep 9, 2013, at 10:10 AM, Kristian Kielhofner >> wrote: > > >>> My company would like to sponsor the development of a proper selinux >>> policy for FreeSWITCH. How should we get this going? > > > been travelling -- sorry for the delay in reply > > Hi, Kristian > > Writing SElinux rules that are durable is tied to getting repeatable > packaging together (so that the binaries are predictably in the same > places), and talking across the same network ports, etc. As FreeSwitch is > somewhat a moving target, and not 'packaged' in a 'major' distribution's > main line -- really, RHEL, CentOS or Fedora here -- a set of rules need to > be crafted and maintained locally > > Are you using a packaging such as that from sipXecs / eZuce? > If so, I can probably guide you through the ruleset generation. In which FS > ML shall we do this? Cross-posting to three is probably rather rude > > ... fwiw, I've posted pretty sharply to the negative about pelple NOT using > SELinux with FreeSwitch [1] in the past > > -- Russ herrold > > [1] http://orcorc.blogspot.com/2010/12/ripping-out-safeties.html -- Kristian Kielhofner From herrold at owlriver.com Thu Sep 19 23:19:00 2013 From: herrold at owlriver.com (R P Herrold) Date: Thu, 19 Sep 2013 15:19:00 -0400 (EDT) Subject: [freeswitch-sec] FreeSWITCH selinux policy sponsorship In-Reply-To: References: <9EB90DD7-434F-4EFD-9B4E-4CC7ACBA6FE3@freeswitch.org>

Message-ID: On Thu, 19 Sep 2013, Kristian Kielhofner wrote: > installed to either /opt/freeswitch or /usr/local/freeswitch. Linux FHS conformance (the 'world' I mostly live in), and recent Red Hat packaging practice would support the first; the second (/use/local) -- not so much Conspicuiously, the freeswitch packaging has not landed in Fedora or EPEL, which are sort of gateways for RH being interested in adding SELinux rulesets Some years ago at a SELinux presentation, I proposed at Ottawa Linux Symposium, and proposals have een floated from time to time to 'bundle' the SELinux rules for a given package within either the .spec file, or as some sort of 'mergable' location per package. Red Hat has chosen to go a different way, where there is a responsive maintainer (Dan Walsh) who seems to have more eyes than a peacock tail, as to SELinux issues on mailing lists Carrying local libraries rather than using system ones as much as possible, is another stumbling block to consider and address I've marked this for some more review after I get the FS SRPMS rebuilding locally -- Russ herrold From tc at travislists.com Thu Sep 19 23:58:13 2013 From: tc at travislists.com (Travis Cross) Date: Thu, 19 Sep 2013 19:58:13 +0000 Subject: [freeswitch-sec] FreeSWITCH selinux policy sponsorship In-Reply-To: References: <9EB90DD7-434F-4EFD-9B4E-4CC7ACBA6FE3@freeswitch.org>

Message-ID: <523B5755.20602@travislists.com> On 2013-09-19 18:38, Kristian Kielhofner wrote: > I certainly understand the desire for integration with distro > specific file locations but the vast, vast majority of FreeSWITCH > installs are done using the standard layout installed to either > /opt/freeswitch or /usr/local/freeswitch. I don't really have strong feelings here, but I'll note that an increasing number of people are installing FS by way of our Debian packages -- we're starting to promote this method -- and those packages install FS per the FHS, e.g. /usr/bin/freeswitch, /var/lib/freeswitch/db, /usr/share/freeswitch/sounds, etc. Ken's RPMs for Redhat/CentOS, as I understand, install FS similarly. For the purposes here, targeting the packaged installs means that, unlike an installation from source, you can be 100% sure where things are going to be located, and because we're following FHS, these locations are exceedingly unlikely to change. From kris at kriskinc.com Fri Sep 20 00:56:51 2013 From: kris at kriskinc.com (Kristian Kielhofner) Date: Thu, 19 Sep 2013 16:56:51 -0400 Subject: [freeswitch-sec] FreeSWITCH selinux policy sponsorship In-Reply-To: <523B5755.20602@travislists.com> References: <9EB90DD7-434F-4EFD-9B4E-4CC7ACBA6FE3@freeswitch.org>

<523B5755.20602@travislists.com> Message-ID: On Thu, Sep 19, 2013 at 3:58 PM, Travis Cross wrote: > > I don't really have strong feelings here, but I'll note that an > increasing number of people are installing FS by way of our Debian > packages -- we're starting to promote this method -- and those > packages install FS per the FHS, e.g. /usr/bin/freeswitch, > /var/lib/freeswitch/db, /usr/share/freeswitch/sounds, etc. > > Ken's RPMs for Redhat/CentOS, as I understand, install FS similarly. > > For the purposes here, targeting the packaged installs means that, > unlike an installation from source, you can be 100% sure where things > are going to be located, and because we're following FHS, these > locations are exceedingly unlikely to change. > Out of curiosity, can you define "increasing"? EIther way I doubt it's hard to create SELinux rules to handle the FHS and "FreeSWITCH" file layouts. -- Kristian Kielhofner From herrold at owlriver.com Fri Sep 20 01:25:56 2013 From: herrold at owlriver.com (R P Herrold) Date: Thu, 19 Sep 2013 17:25:56 -0400 (EDT) Subject: [freeswitch-sec] FreeSWITCH selinux policy sponsorship In-Reply-To: References: <9EB90DD7-434F-4EFD-9B4E-4CC7ACBA6FE3@freeswitch.org>

<523B5755.20602@travislists.com> Message-ID: On Thu, 19 Sep 2013, Kristian Kielhofner wrote: > EIther way I doubt it's hard to create SELinux rules to handle the FHS > and "FreeSWITCH" file layouts. the files, no -- the full gamut of potential network socket and database connections, yes -- Russ herrold From tc at travislists.com Fri Sep 20 03:23:48 2013 From: tc at travislists.com (Travis Cross) Date: Thu, 19 Sep 2013 23:23:48 +0000 Subject: [freeswitch-sec] FreeSWITCH selinux policy sponsorship In-Reply-To: References: <9EB90DD7-434F-4EFD-9B4E-4CC7ACBA6FE3@freeswitch.org>

<523B5755.20602@travislists.com> Message-ID: <523B8784.8020600@travislists.com> On 2013-09-19 20:56, Kristian Kielhofner wrote: > Out of curiosity, can you define "increasing"? My means of measurement are imprecise -- Ken might have better detail from the CDN stats, though that only counts part of it. I'm judging based on the quantity of questions I've been getting about the packaging, that other FS contributors now seem to care if their new module gets added to Debian quickly, and the speed that people notice when Ken's FS.org debian repo breaks. From kris at kriskinc.com Sat Sep 21 20:12:16 2013 From: kris at kriskinc.com (Kristian Kielhofner) Date: Sat, 21 Sep 2013 12:12:16 -0400 Subject: [freeswitch-sec] FreeSWITCH selinux policy sponsorship In-Reply-To: References: <9EB90DD7-434F-4EFD-9B4E-4CC7ACBA6FE3@freeswitch.org>

<523B5755.20602@travislists.com> Message-ID: That's what I thought. How should we proceed from here? On Thu, Sep 19, 2013 at 5:25 PM, R P Herrold wrote: > On Thu, 19 Sep 2013, Kristian Kielhofner wrote: > >> EIther way I doubt it's hard to create SELinux rules to handle the FHS >> and "FreeSWITCH" file layouts. > > > the files, no -- the full gamut of potential network socket and database > connections, yes > > -- Russ herrold -- Kristian Kielhofner