Dave - <div><br></div><div> Thanks for sharing this! I had the exact same problem and hadn't figured out a solution yet. Much appreciated.</div><div><br></div><div>Skyler<br><br><div class="gmail_quote">On Thu, Jan 13, 2011 at 5:51 PM, Dave Singer <span dir="ltr"><<a href="mailto:dave.singer@wideideas.com">dave.singer@wideideas.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"><div>Banged my head for a while with why I couldn't get fifo working for the Control Panel</div><div>I was getting "sorry -- cannot open write fifo".</div>
<div><br></div><div>Hope this can help other and maybe even make it into the docs.</div>
<div>Found two problems.</div><div><br></div><div>1. Apache process couldn't use /tmp/opensips_fifo because the permissions were prw-rw---- 1 root root</div><div>I fixed that temporarily by chmod o+rw /tmp/opensips</div>
<div>Unfortunately restarting opensips voids that fix unless you do chmod after each start after the fifo is created</div><div>So I changed the user opensips runs as using the -u apache -g apache options.</div><div>This solved my problem and made my system more safe from hackers through sip messages.</div>
<div><br></div><div>2. SELinux (hate the good thing) was also blocking apache using it.</div><div>I did some googling and found some mention of disabling selinux. Tried that and things worked.</div><div>So I tried that and whala! IT WORKED!!!</div>
<div>Now I was bummed cause I don't want to completely disable SELinux, pain though it is.</div><div>So I finally broke down and looked into the docs on for SELinux and found audit2allow. YEA</div><div>All you have to do to get SELinux to permantly allow something that should happen is pipe the audit lines that show the problem from /var/log/audit/audit.log (or /var/log/messages)</div>
<div>Since an app my stop trying things SELinux may block after an initial rejection you want to set SELinux to permissive with </div><div> setenforce Permissive</div><div>Perform the actions like us the MI from opensips-cp stopped by selinux before then you can use the logs to allow those specific actions.</div>
<div>I used less to find the specific lines then copied them into a file with just those lines.</div><div><br></div><div>Here is an example with a file that only has the audit logs I want to allow:</div><div>cat selinux_blocked_my_app | audit2allow -M opensipscp</div>
<div><span style="font-family:'courier new', monospace;font-size:13px">semodule -i opensipscp.pp</span></div><div><span style="font-family:'courier new', monospace;font-size:13px"><br>
</span></div><div><span style="font-family:'courier new', monospace;font-size:13px">That is it!!</span></div><div><span style="font-family:'courier new', monospace;font-size:13px">I wanted to transport it to other servers and make it easy to do on an install so I dug a little more and came up with this I can just cut and paste:</span></div>
<div><span style="font-family:'courier new', monospace;font-size:13px"><br></span></div><div><span style="font-family:'courier new', monospace;font-size:13px"><span style="font-family:Arial, Verdana, sans-serif"><div>
<font face="'courier new', monospace"><div>cat > opensipscp.te <<EOF</div><div><div><br></div><div>module opensipscp 1.0;</div><div><br></div><div>require {</div><div> type httpd_t;</div><div> type tmp_t;</div>
<div> class fifo_file { write getattr setattr read create unlink };</div><div>}</div><div><br></div><div>#============= httpd_t ==============</div><div>allow httpd_t tmp_t:fifo_file { write getattr setattr read create unlink };</div>
</div><div>EOF</div><div><br></div><div>checkmodule -M -m -o opensipscp.mod opensipscp.te</div><div>semodule_package -o opensipscp.pp -m opensipscp.mod</div><div>semodule -i opensipscp.pp</div><div>/bin/rm opensipscp.pp opensipscp.te opensipscp.mod</div>
<div><br></div><div><br></div><div>Be sure in config/boxes.global.inc.php you have (or what you have for the fifo file)</div><div> $boxes[$box_id]['mi']['conn']="/tmp/opensips_fifo";</div><div>
<br>
</div><div><br></div></font></div></span></span></div>
<br>_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a><br>
<a href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users" target="_blank">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>
<br></blockquote></div><br></div>