Running Asterisk with SELinux
December 6, 2023
I'm not fully certain how much SELinux improves security, but I get paid by the hour, so it does improve my paycheque.
After compiling Asterisk on Oracle Linux 9, I observed that it would run well when started manually from the command line, but would not run as a service. The solution was:
sudo restorecon -rv /var/lib/asterisk sudo restorecon -rv /etc/asteriskAdditionally, I observed that when using app_voicemail_odbc, Asterisk failed immediately before attempting to perform the INSERT into the database. The error was:
app_voicemail_odbc.c:4500 store_file: Memory map failed for sound file '/var/spool/asterisk/voicemail/default/100/unavail.sln'I used Google to search for this error and found exactly one result which was the Asterisk source. The solution that I came up with on my own, by inspecting sudo getsebool -a | grep mmap:
sudo setsebool domain_can_mmap_files onIf ever you're troubleshooting something that is failing for no apparent reason, check SELinux first.
sudo setenforce Permissive sestatusRe-run your command. If it now works, SELinux is the cause. You can inspect the audit log to see if it gives you any information with which to solve the problem:
sudo tail /var/log/audit/audit.logI suppose you should re-enable SELinux after completing your testing.
sudo setenforce Enforcing sestatus