AppArmor Templates for Postfix
Posted by mike Using Pre-Built Templates
Add the pre-built templates for Postfix.
sudo apt-get install apparmor-profiles
This will load many pre-built templates that you can use.
cd /usr/share/doc/apparmor-profiles/extras
Now copy all of the Postfix related profiles into /etc/apparmor.d/.
sudo cp usr.sbin.post* /etc/apparmor.d/
sudo cp usr.lib.post* /etc/apparmor.d/
Restart your the AppArmor daemon.
sudo /etc/init.d/apparmor restart
Now check the number of active profiles.
sudo aa-status
32 profiles are in enforce mode.
/usr/lib/postfix/spawn
/usr/lib/postfix/tlsmgr
/usr/sbin/saslauthd
/usr/lib/postfix/pipe
/usr/lib/postfix/proxymap
/usr/lib/postfix/bounce
/usr/sbin/postalias
/usr/lib/postfix/pickup
/usr/lib/postfix/qmqpd
/usr/lib/postfix/showq
/usr/sbin/avahi-daemon
/usr/lib/postfix/local
/usr/lib/postfix/nqmgr
/usr/sbin/postdrop
/usr/lib/postfix/scache
/usr/lib/postfix/virtual
/usr/lib/postfix/lmtp
/usr/lib/postfix/discard
/usr/lib/postfix/error
/usr/lib/postfix/smtpd
/usr/lib/postfix/smtp
/usr/lib/postfix/cleanup
/usr/sbin/postfix
/usr/sbin/postmap
/usr/sbin/postqueue
/usr/lib/postfix/anvil
/usr/lib/postfix/qmgr
/usr/lib/postfix/master
/usr/lib/postfix/verify
/usr/lib/postfix/flush
/usr/lib/postfix/trivial-rewrite
/usr/lib/postfix/oqmgr
You may not need all of these profiles depending upon what you are running, so remove those you do not need. You can change these to complain mode so you can test. Whatever you do, you should update the settings by running Postfix and then making any adjustments necessary by using the aa-logprof command. This will make sure that your system is running effectively.
aa-logprof
Reading log entries from /var/log/messages.
Updating AppArmor profiles in /etc/apparmor.d.
Enforce-mode changes:
Profile: /usr/sbin/postfix
Capability: sys_tty_config
Severity: 8
(A)llow / [(D)eny] / Abo(r)t / (F)inish
Adding capability sys_tty_config to profile.
Profile: /usr/sbin/postfix
Path: /etc/postfix/main.cf
Mode: r
Severity: 3
[1 - /etc/postfix/main.cf]
(A)llow / [(D)eny] / (G)lob / Glob w/(E)xt / (N)ew / Abo(r)t / (F)inish
Adding /etc/postfix/main.cf r to profile.
Profile: /usr/sbin/saslauthd
Path: /var/spool/postfix/var/run/saslauthd/saslauthd.pid.lock
Mode: w
Severity: unknown
[1 - /var/spool/postfix/var/run/saslauthd/saslauthd.pid.lock]
(A)llow / [(D)eny] / (G)lob / Glob w/(E)xt / (N)ew / Abo(r)t / (F)inish
Adding /var/spool/postfix/var/run/saslauthd/saslauthd.pid.lock w to profile.
= Changed Local Profiles =
The following local profiles were changed. Would you like to save them?
[1 - /usr/sbin/postfix]
2 – /usr/sbin/saslauthd
(S)ave Changes / [(V)iew Changes] / Abo(r)t
Writing updated profile for /usr/sbin/postfix.
Writing updated profile for /usr/sbin/saslauthd.
You must be logged in to post a comment.