[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [opensuse-security] Apparmor suggestion to include more profiles



On 05/31/2016 05:16 PM, Christian Boltz wrote:
Did you also need any changes in the profiles that are enabled by
default? If so, please tell me - in many (not all) cases I consider this
to be a bug in the profile;-)

Hi Christian,

It's great to see activity here!  I'm new to Apparmor, I had to create some
specific profiles for a customer last month, and I really like it.

But the included profiles for dovecot didn't work.  I was pressed for time so
I quickly hacked two of the profiles to get the server working.  I'm sure I didn't
do it right, and may have messed up the security posture, but at least the mail
is flowing!

In this case all user's home directories are in /export/home1.  Here are the updated
profiles generated with the help of aa-logprof.  This is on a 13.2 x86-64 system.

What's the right way to do dovecot with user's home directories in /export/home1?
An environment variable somewhere?

usr.lib.dovecot.imap

# Last Modified: Tue May  3 13:55:56 2016
#include <tunables/dovecot>
#include <tunables/global>

# ------------------------------------------------------------------
#
#    Copyright (C) 2009-2010 Canonical Ltd.
#    Copyright (C) 2011-2013 Christian Boltz
#
#    This program is free software; you can redistribute it and/or
#    modify it under the terms of version 2 of the GNU General Public
#    License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# vim: ft=apparmor

/usr/lib/dovecot/imap {
  #include <abstractions/base>
  #include <abstractions/dovecot-common>
  #include <abstractions/nameservice>
  #include <local/usr.lib.dovecot.imap>

  deny capability block_suspend,

  capability setuid,

  /export/home1/** rwlk,
  /usr/lib/dovecot/imap mr,
  /{,var/}run/dovecot/auth-master rw,
  /{,var/}run/dovecot/mounts r,
  @{DOVECOT_MAILSTORE}/ rw,
  @{DOVECOT_MAILSTORE}/** rwlk,
  @{HOME} r,

}

And:

usr.lib.dovecot.dovecot-lda

# ------------------------------------------------------------------
#
#    Copyright (C) 2013-2016 Christian Boltz
#
#    This program is free software; you can redistribute it and/or
#    modify it under the terms of version 2 of the GNU General Public
#    License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# vim: ft=apparmor

#include <tunables/global>
#include <tunables/dovecot>

/usr/lib/dovecot/dovecot-lda {
  #include <abstractions/base>
  #include <abstractions/nameservice>
  #include <abstractions/dovecot-common>

  capability setuid,

  @{DOVECOT_MAILSTORE}/ rw,
  @{DOVECOT_MAILSTORE}/** rwkl,

  /etc/dovecot/** r,
  /proc/*/mounts r,
  owner /tmp/dovecot.lda.* rw,
  /{var/,}run/dovecot/mounts r,
  /usr/bin/doveconf mrix,
  /usr/lib/dovecot/dovecot-lda mrix,
  /usr/sbin/sendmail Cx,

  # Site-specific additions and overrides. See local/README for details.
  #include <local/usr.lib.dovecot.dovecot-lda>


  profile /usr/sbin/sendmail flags=(attach_disconnected) {
    # this profile is based on the usr.sbin.sendmail profile in extras
    # and should support both postfix' and sendmail's sendmail binary

    #include <abstractions/base>
    #include <abstractions/consoles>
    #include <abstractions/nameservice>
    #include <abstractions/user-tmp>
    #include <abstractions/postfix-common>

    capability sys_ptrace,

    /etc/aliases rw,     # newaliases is a symlink to sendmail, so it's
    /etc/aliases.db rw,  # actually the same binary
    /etc/fstab r,
    /etc/hosts.allow r,
    /etc/hosts.deny r,
    /etc/mail/* r,
    /etc/mail/statistics rw,
    /etc/mtab r,
    /etc/postfix/aliases r,
    /etc/postfix/aliases.db rw,  # newaliases again
    /etc/sendmail.cf r,
    /etc/sendmail.cw r,
    /etc/shells r,
    /proc/loadavg r,
    /proc/net/if_inet6 r,
    /root/.forward r,
    /root/dead.letter w,
    /usr/bin/procmail Px,
    /usr/lib/postfix/master Px,
    /usr/lib/postfix/showq Px,
    /usr/lib/postfix/smtpd Px,
    /usr/sbin/postalias Px,
    /usr/sbin/postdrop Px,
    /usr/sbin/postfix Px,
    /usr/sbin/postqueue Px,
    /usr/sbin/sendmail mrix,
    /usr/sbin/sendmail.postfix mrix,
    /usr/sbin/sendmail.sendmail mrix,
    /{var/,}run/sendmail.pid rwl,
    /{var/,}run/sm-client.pid rwl,
    /{var/,}run/utmp rw,
    /var/spool/clientmqueue/* rwl,
    /export/home1/mail/* rwl,
    /var/spool/mqueue/* rwl,
    /var/spool/postfix/maildrop/* rwl,
    /var/spool/postfix/public/pickup w,
    /var/spool/postfix/public/qmgr w,
    /var/spool/postfix/public/showq w,
  }
}

Regards,
Lew


--
To unsubscribe, e-mail: opensuse-security+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-security+owner@xxxxxxxxxxxx