[rsbac] How to use Postfix with RSBAC

Amon Ott ao at rsbac.org
Sun Oct 5 15:43:34 MEST 2003 

On Friday 03 October 2003 21:14, Patrique Wolfrum wrote:
> I am quite new to RSBAC and am now thinking about how to secure the running 
server programs on my server. My first test candidate was the mailserver 
Postfix:
> 
> I tried to secure the mailserver software postfix (and the needed other 
programs for managing the server (like postsuper, cleanup, ...)) via a new RC 
Role "Postfix Server", which has the necessary rights (get_status_data 
(NETDEV), modify_system_data (SCD rlimit)) for starting the server.
> In order to secure the mailspool-area as well I created a new RC_FD 
Mailspool, where only the Postfix Server can create and modify files. To 
protect the system files in /var/spool/postfix a new RC_FD Postfix_System was 
created, where again only the Postfix-Server can access and modify data.

Sounds good so far.
 
> But now the server won't start correctly anymore, since the following 
problem areas:
> 
> 1) It can't create a file of target FIFO in /var/spool/postfix/public, 
although it has the neccessary rights (R/W) for this directory

Please enable rsbac_debug_adf_rc, e.g. by
echo debug_adf_rc 1 >/proc/rsbac-info/debug
and check the related log output.

> 2) Several programs in /bin or /sbin are used by postfix, which then don't 
have the necessary rights for checking processes, etc. Since several other 
programs will use these programs too, including them in the Postfix Server 
role wouldn't be a wise idea, I think.

The helper programs are only used to check and recreate the postfix chroot 
environment (in a rather sub-optimal way). If you turn off this check in 
/etc/init.d/postfix, it works smoothly. You will have to check the 
environment manually after updating your system, though.
 
> Another question is, if it is a good idea to generate a new RC_PROCESS type 
for every running server software in order to prevent it from accessing and 
perhaps interfering normal processes (if for example this server software is 
"contaminated" by a hacker), and to give processes started from the 

Separate process types are a good idea. Even faster is to use the JAIL module 
with / as chroot dir for this. It works fine for postfix and many other 
server programs, and it comes with some additional administration and network 
access restrictions.

> serversoftware the necessary rights. One candidate for this would be yast, 
which starts several other processes during operation, which need special 
rights for accessing for example NETDEVs, etc..

This is rather a candidate for a program based RC role. Yast is a horror 
example for access control - when I was still using SuSE, I used to turn off 
RSBAC before starting it.
 
> Can someone please give me some insights, how to configure RSBAC here 
correctly, in order to prevent security leaks ?

Hope my hints help.

Amon.
-- 
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22

More information about the rsbac mailing list