[SR-Users] Kamailio has unconfined processes

Henning Westerholt hw at gilawa.com
Thu Aug 11 13:16:45 CEST 2022


Hello,

if I understand you correctly, you are referring to SELinux and the fact that there is no SELinux policy for Kamailio on the system available.

There is no SELinux policy that is provided from the Kamailio project. I am not aware of existing policy that you could use, maybe some distributions provide something.

If this is a hard requirement, you can create a policy for Kamailio from your side. Have a look e.g. to
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/writing-a-custom-selinux-policy_using-selinux

for some pointers. If you've created something, it would be great if you could share somewhere. In this case we might be able to include this in the Kamailio project, if appropriate.

Cheers,

Henning
[https://access.redhat.com/webassets/avalon/g/shadowman-200.png]<https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/writing-a-custom-selinux-policy_using-selinux>
Chapter 8. Writing a custom SELinux policy Red Hat Enterprise Linux 8 - Red Hat Customer Portal<https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/writing-a-custom-selinux-policy_using-selinux>
An SELinux security policy is a collection of SELinux rules. A policy is a core component of SELinux and is loaded into the kernel by SELinux user-space tools.
access.redhat.com


________________________________
Von: sr-users <sr-users-bounces at lists.kamailio.org> im Auftrag von HimaBindu G <himabindu.garadareddy at gmail.com>
Gesendet: Mittwoch, 10. August 2022 08:35
An: sr-users at lists.kamailio.org <sr-users at lists.kamailio.org>
Betreff: [SR-Users] Kamailio has unconfined processes

Hi,


Problem Description:
Customer security scan returned unconfined services on Kamailio.
Unconfined processes run in unconfined domains Rationale:
For unconfined processes, SELinux policy rules are applied, but policy rules exist that allow processes running
in unconfined domains almost all access. Processes running in unconfined domains fall back to using DAC
rules exclusively. If an unconfined process is compromised, SELinux does not prevent an attacker from
gaining access to system resources and data, but of course, DAC rules are still used. SELinux is a security
enhancement on top of DAC rules - it does not replace them
Solution
Investigate any unconfined processes found during the audit action. They may need to have an existing security
context assigned to them or a policy built for them.
Notes:
Occasionally certain daemons such as backup or centralized management software may require running
unconfined. Any such software should be carefully analyzed and documented before such an exception is made.
See Also

https://workbench.cisecurity.org/files/2485

For Kamailio
======
The command returned :
00 kamailio
00 kamailio
00 kamailio
00 kamailio
00 kamailio
10 kamailio
10 kamailio
10 kamailio
10 kamailio
00 kamailio
00 kamailio
00 kamailio
00 kamailio
33 kamailio
33 kamailio
33 kamailio
32 kamailio
17 kamailio
16 kamailio
33 kamailio
00 kamailio
00 kamailio
03 kamailio
05 kamailio
18 kamailio
17 kamailio
18 kamailio
18 kamailio
07 kamailio
00 sleep

is any security context available to assign kamailio processes ?
theses services can be run as confined services ?

Please suggest us with resolution, thanks in advance.

Thanks & Regards,
    Hima Bindu.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20220811/9b56942c/attachment.htm>


More information about the sr-users mailing list