[rsbac] How to use Postfix with RSBAC

Patrique Wolfrum Patrique.Wolfrum at vwl.uni-freiburg.de
Fri Oct 3 22:14:52 MEST 2003


Hello,

I am quite new to RSBAC and am now thinking about how to secure the running server programs on my server. My first test candidate was the mailserver Postfix:

I tried to secure the mailserver software postfix (and the needed other programs for managing the server (like postsuper, cleanup, ...)) via a new RC Role "Postfix Server", which has the necessary rights (get_status_data (NETDEV), modify_system_data (SCD rlimit)) for starting the server.
In order to secure the mailspool-area as well I created a new RC_FD Mailspool, where only the Postfix Server can create and modify files. To protect the system files in /var/spool/postfix a new RC_FD Postfix_System was created, where again only the Postfix-Server can access and modify data.

But now the server won't start correctly anymore, since the following problem areas:

1) It can't create a file of target FIFO in /var/spool/postfix/public, although it has the neccessary rights (R/W) for this directory
2) Several programs in /bin or /sbin are used by postfix, which then don't have the necessary rights for checking processes, etc. Since several other programs will use these programs too, including them in the Postfix Server role wouldn't be a wise idea, I think.

Another question is, if it is a good idea to generate a new RC_PROCESS type for every running server software in order to prevent it from accessing and perhaps interfering normal processes (if for example this server software is "contaminated" by a hacker), and to give processes started from the serversoftware the necessary rights. One candidate for this would be yast, which starts several other processes during operation, which need special rights for accessing for example NETDEVs, etc..

Can someone please give me some insights, how to configure RSBAC here correctly, in order to prevent security leaks ?

Thank you very much in advance.

With best regards,
    Patrique Wolfrum


More information about the rsbac mailing list