[freeswitch-sec] FreeSWITCH selinux policy sponsorship

Kristian Kielhofner kris at kriskinc.com
Thu Sep 19 22:38:19 MSD 2013 

Hi Russ,

  Thanks for your input!

  As Ken has already said in a separate follow-up I believe FreeSWITCH
has matured/settled down enough for formal rules to be included with
the source.  With that said I'm unfamiliar how SELinux rules are
included/added to a given distro (and what SELinux differences there
may be in between distros).  I certainly understand the desire for
integration with distro specific file locations but the vast, vast
majority of FreeSWITCH installs are done using the standard layout
installed to either /opt/freeswitch or /usr/local/freeswitch.  I have
no problem developing rules around these locations.

  Your thoughts?

On Thu, Sep 19, 2013 at 2:10 PM, R P Herrold <herrold at owlriver.com> wrote:
> On Mon, 9 Sep 2013, Brian West wrote:
>
>>         I personally do not have any experience in this area, Maybe
>> someone on the Dev/Users list would be interested in this topic?
>
>
>> On Sep 9, 2013, at 10:10 AM, Kristian Kielhofner <kris at kriskinc.com>
>> wrote:
>
>
>>>  My company would like to sponsor the development of a proper selinux
>>> policy for FreeSWITCH.  How should we get this going?
>
>
> been travelling -- sorry for the delay in reply
>
> Hi, Kristian
>
> Writing SElinux rules that are durable is tied to getting repeatable
> packaging together (so that the binaries are predictably in the same
> places), and talking across the same network ports, etc.  As FreeSwitch is
> somewhat a moving target, and not 'packaged' in a 'major' distribution's
> main line -- really, RHEL, CentOS or Fedora here -- a set of rules need to
> be crafted and maintained locally
>
> Are you using a packaging such as that from sipXecs / eZuce?
> If so, I can probably guide you through the ruleset generation.  In which FS
> ML shall we do this?  Cross-posting to three is probably rather rude
>
> ... fwiw, I've posted pretty sharply to the negative about pelple NOT using
> SELinux with FreeSwitch [1] in the past
>
> -- Russ herrold
>
> [1] http://orcorc.blogspot.com/2010/12/ripping-out-safeties.html



-- 
Kristian Kielhofner

Join us at ClueCon 2013 Aug 6-8, 2013
More information about the freeswitch-sec mailing list