[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] [SLE] postfix and apparmour

Hash: SHA1

The Sunday 2006-07-23 at 22:23 -0700, Crispin Cowan wrote:

> However, the apparmor-general list is more specific, and therefore more
> appropriate, than the suse-security list, so I have posted to both and
> directed followups to apparmor-general.

However, that list is not in 
http://www.suse.com/en/private/support/online_help/mailinglists/, thus I 
can't subscribe.

> However, the much, much easier way is to let AppArmor fix it for you. If
> you grep for APPARMOR in /var/log/audit/audit.log you will find REJECT
> events where AppArmor blocked the accesses that cause you problems. If
> you run the "logprof" program (as root, and not confined by AppArmor) it
> will inspect the audit.log file for events, and prompt you for what to
> do with them. It will automatically expand your profiles to allow the
> accesses that were blocked.

I see. Yes, I'll use that next time.

> Note: logprof does not know the difference between an access that was
> blocked because the profile was too tight, and an access blocked because
> an intruder was trying to hack in. So if you are running logprof on a
> machine exposed to the internet, please read the questions logprof asks
> and thing about the answers :)

Makes sense.

> > So I go to /etc/apparmor.d/usr.lib.postfix.showq, and see this:
> >
> >   /{var/spool/postfix/,}incoming                                   r,
> >   /{var/spool/postfix/,}incoming/[0-9A-F]                          r,
> >   /{var/spool/postfix/,}incoming/[0-9A-F]/[0-9A-F]                 r,
> >   /{var/spool/postfix/,}incoming/[0-9A-F]/[0-9A-F]/*               r,
> >   /{var/spool/postfix/,}incoming/[0-9A-F]/[0-9A-F]*                r,
> >   /{var/spool/postfix/,}incoming/[0-0A-F]*                         r,
> >
> >
> > Now, the question: Should the last line be:
> >
> >   /{var/spool/postfix/,}incoming/[0-9A-F]*                         r,
> >
> > instead?
> Yes.

Now comes a second problem: this weekend, YOU applied an update to 
apparmor.d, and the profile usr.lib.postfix.showq has dissapeared. In 
fact, all postfix profiles have dissapeared:

nimrodel:~ # l /etc/apparmor.d/*postfix.*
- -rw-r--r-- 1 root root 1998 Jul  5 13:12 /etc/apparmor.d/usr.lib.postfix.master.rpmsave
- -rw-r--r-- 1 root root 3221 Jul  5 13:02 /etc/apparmor.d/usr.lib.postfix.qmgr.rpmsave
- -rw-r--r-- 1 root root 2489 Jul  5 13:15 /etc/apparmor.d/usr.lib.postfix.smtpd.rpmsave

See? Only the backups are there. Even grepping for the word "postfix" only 
finds it in 'program-chunks/postfix-common'. 

What now?

- -- 
       Carlos E. R.

Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Made with pgp4pine 1.76


Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here