Pages

Friday, May 13, 2016

Asterisk and SELinux – and allowing additional Asterisk CLI users

Most advice on Asterisk that you'll find out in the ether states that to get Asterisk working right, you'll need to disable SELinux. Sometimes you'll even see vendor engineers repeating this over official channels.

IMO this is stupid and wrong. Disabling security is a terrible approach to fixing problems generally, – but particularly so when the real issue is more than likely a config problem.

Enough ranting though – I came to post about the resolution to just such a config problem.

Systemd config

After building a basic install of Asterisk 13.8 Certified on CentOS 7.2, I wasn't satisfied to run the included sysvinit script for startup when the entire balance of the system was initializing through systemd. I found that /var/run/asterisk wouldn't cooperate with my initial attempts at writing a systemd script – after every reboot, it came back owned by root; ownership changes wouldn't stick. I learned from Jari Turkia[1] this is due to /var/run being a tmpfs – nothing there persists across reboot.

Jari used /usr/bin/mkdir, suppressing errors, and /usr/bin/chown, but it's possible to do the same thing elegantly in a single line using /bin/install – a handy trick I picked up from Paul.[2]

With that and other help [3],[4],[5], I was able to dial in a very nicely working systemd script to control my Asterisk installation. The config is after the jump.

Asterisk config

After sorting the directory ownership and permissions, I also learned that I could allow additional users (e.g., my own login account) to use the Asterisk CLI without having to use sudo – there are a couple of config items that have to be changed to let this happen:
  1. In /etc/asterisk/asterisk.conf, uncomment [files] stanza and its entry astctlpermissions[6]
    • This changes the permissions on the /var/run/asterisk/asterisk.ctl socket node – necessary because a CLI user needs write access to the socket
  2. In /etc/asterisk/cli_permissions.conf, add an entry for the user or group you want to give permissions, along with the appropriate permissions.[7]
    • Since I'm my only user, I set group wheel to have all rights, but you may need something more strict.

The working config:

[Unit]
Description=Asterisk PBX and telephony daemon
Documentation=man:asterisk(8)
Wants=network.target
After=network.target

[Service]
PermissionsStartOnly=true
Type=simple
ExecStartPre=/bin/install -m 755 -o asterisk -g asterisk -d /var/run/asterisk/
User=asterisk
Group=asterisk
Environment=HOME=/var/lib/asterisk
WorkingDirectory=/var/lib/asterisk
ExecStart=/usr/sbin/asterisk -vvv
ExecStop=/usr/sbin/asterisk -rx 'core stop now'
ExecReload=/usr/sbin/asterisk -rx 'core reload'

# safe_asterisk emulation
Restart=always
RestartSec=10

[Install]
WantedBy=multi-user.target



References:
  1. Handling /var/run with systemd – Jari Turkia, Hacker's ramblings blog
  2. How folders created in /var/run on each reboot – Paul on askubuntu.com
  3. Getting Started with systemd – CoreOS documentation
  4. install(1) - Linux man page – die.net Linux man pages
  5. systemd: permission issue with mkdir & ExecStartPreMatt on Unix StackExchange
  6. Asterisk – permissions and ownership for the socket console – Leonardo Rizzi, deepreflect.net networks
  7. Asterisk documentation – cli_permissions.conf