<div>Banged my head for a while with why I couldn't get fifo working for the Control Panel</div><div>I was getting "sorry -- cannot open write fifo".</div><div><br></div><div>Hope this can help other and maybe even make it into the docs.</div>
<div>Found two problems.</div><div><br></div><div>1. Apache process couldn't use /tmp/opensips_fifo because the permissions were prw-rw---- 1 root root</div><div>I fixed that temporarily by chmod o+rw /tmp/opensips</div>
<div>Unfortunately restarting opensips voids that fix unless you do chmod after each start after the fifo is created</div><div>So I changed the user opensips runs as using the -u apache -g apache options.</div><div>This solved my problem and made my system more safe from hackers through sip messages.</div>
<div><br></div><div>2. SELinux (hate the good thing) was also blocking apache using it.</div><div>I did some googling and found some mention of disabling selinux. Tried that and things worked.</div><div>So I tried that and whala! IT WORKED!!!</div>
<div>Now I was bummed cause I don't want to completely disable SELinux, pain though it is.</div><div>So I finally broke down and looked into the docs on for SELinux and found audit2allow. YEA</div><div>All you have to do to get SELinux to permantly allow something that should happen is pipe the audit lines that show the problem from /var/log/audit/audit.log (or /var/log/messages)</div>
<div>Since an app my stop trying things SELinux may block after an initial rejection you want to set SELinux to permissive with </div><div> setenforce Permissive</div><div>Perform the actions like us the MI from opensips-cp stopped by selinux before then you can use the logs to allow those specific actions.</div>
<div>I used less to find the specific lines then copied them into a file with just those lines.</div><div><br></div><div>Here is an example with a file that only has the audit logs I want to allow:</div><div>cat selinux_blocked_my_app | audit2allow -M opensipscp</div>
<div><meta http-equiv="content-type" content="text/html; charset=utf-8"><span class="Apple-style-span" style="font-family: 'courier new', monospace; font-size: 13px; ">semodule -i opensipscp.pp</span></div><div><span class="Apple-style-span" style="font-family: 'courier new', monospace; font-size: 13px; "><br>
</span></div><div><span class="Apple-style-span" style="font-family: 'courier new', monospace; font-size: 13px; ">That is it!!</span></div><div><span class="Apple-style-span" style="font-family: 'courier new', monospace; font-size: 13px; ">I wanted to transport it to other servers and make it easy to do on an install so I dug a little more and came up with this I can just cut and paste:</span></div>
<div><span class="Apple-style-span" style="font-family: 'courier new', monospace; font-size: 13px; "><br></span></div><div><span class="Apple-style-span" style="font-family: 'courier new', monospace; font-size: 13px; "><meta http-equiv="content-type" content="text/html; charset=utf-8"><span class="Apple-style-span" style="font-family: Arial, Verdana, sans-serif; "><div>
<font face="'courier new', monospace"><div>cat > opensipscp.te <<EOF</div><div><div><br></div><div>module opensipscp 1.0;</div><div><br></div><div>require {</div><div> type httpd_t;</div><div> type tmp_t;</div>
<div> class fifo_file { write getattr setattr read create unlink };</div><div>}</div><div><br></div><div>#============= httpd_t ==============</div><div>allow httpd_t tmp_t:fifo_file { write getattr setattr read create unlink };</div>
</div><div>EOF</div><div><br></div><div>checkmodule -M -m -o opensipscp.mod opensipscp.te</div><div>semodule_package -o opensipscp.pp -m opensipscp.mod</div><div>semodule -i opensipscp.pp</div><div>/bin/rm opensipscp.pp opensipscp.te opensipscp.mod</div>
<div><br></div><div><br></div><div>Be sure in config/boxes.global.inc.php you have (or what you have for the fifo file)</div><div> $boxes[$box_id]['mi']['conn']="/tmp/opensips_fifo";</div><div>
<br>
</div><div><br></div></font></div></span></span></div><meta http-equiv="content-type" content="text/html; charset=utf-8">