Postfix + Courier Imapd

Submit your RBAC policies or suggest policy improvements

Moderators: spender, PaX Team

Postfix + Courier Imapd

Postby Antinoos » Tue Dec 26, 2006 6:49 pm

Postfix and courier-imap are complex programs to write a policy for. Learning mode (in my opinion) granted both applications too much access, so I decided to use the output of dmesg to write a policy. Below is my policy. Is my policy granting too much access? How can I better secure it?

Code: Select all
subject /usr/sbin/courierlogger d
        /dev/log                rw

        -CAP_ALL
        +CAP_DAC_OVERRIDE

subject /usr/bin/imapd d
        /var                    h
        /var/mail               rwcdl

subject /usr/sbin/postfix d
        /dev/log                rw

        -CAP_ALL
        +CAP_DAC_OVERRIDE
        +CAP_DAC_READ_SEARCH

subject /usr/lib/postfix dp
        /dev/log                rw
        /var                    h
        /var/run                rwc
        /var/mail               rwcdl
        /var/spool/postfix      rwcdl

        -CAP_ALL
        +CAP_NET_BIND_SERVICE
        +CAP_DAC_OVERRIDE
        +CAP_DAC_READ_SEARCH
        +CAP_SETGID
        +CAP_SETUID
        +CAP_SYS_CHROOT

subject /usr/sbin/postlog d
        /dev/log                rw

        -CAP_ALL
        +CAP_DAC_OVERRIDE
        +CAP_DAC_READ_SEARCH
Antinoos
 
Posts: 1
Joined: Tue Dec 26, 2006 6:45 pm

Return to RBAC policy development

cron