[rsbac] How to use Postfix with RSBAC

Patrique Wolfrum Patrique.Wolfrum at vwl.uni-freiburg.de
Fri Oct 17 12:27:22 MEST 2003 

Hello,

Thank you for your quick relpy and your very helpful hints.

Sorry I didn't write earlier but the last weeks were very busy, so I 
couldn't get to mail.

>>1) It can't create a file of target FIFO in /var/spool/postfix/public, although it has the neccessary rights (R/W) for this directory
>>
>>    
>>
>Please enable rsbac_debug_adf_rc, e.g. by echo debug_adf_rc 1 >/proc/rsbac-info/debug and check the related log output.
>  
>
Thank you for that hint. With the debug-output I saw that the files were 
in the wrong FD_Type (fixed now). Postfix works now quite fine, and the 
other server programs work now also flawlessly.

>>2) Several programs in /bin or /sbin are used by postfix, which then don't have the necessary rights for checking processes, etc. Since several other programs will use these programs too, including them in the Postfix Server 
>>role wouldn't be a wise idea, I think.
>>    
>>
>The helper programs are only used to check and recreate the postfix chroot environment (in a rather sub-optimal way). If you turn off this check in /etc/init.d/postfix, it works smoothly. You will have to check the environment manually after updating your system, though.
>  
>
The files in /bin and /sbin I put under RC_FD 'system_FD' and gave them 
the neccessary rights. So now the programs can get the needed infos 
about the Postfix-Processes but not more.

>Separate process types are a good idea. Even faster is to use the JAIL module 
>with / as chroot dir for this. It works fine for postfix and many other 
>server programs, and it comes with some additional administration and network 
>access restrictions.
>  
>
I did configure RSBAC for the other server programs (Mysql, Apache and 
Samba) in the same way, and it seems to work fine.

>>serversoftware the necessary rights. One candidate for this would be yast, which starts several other processes during operation, which need special rights for accessing for example NETDEVs, etc..
>>    
>>
>This is rather a candidate for a program based RC role. Yast is a horror example for access control - when I was still using SuSE, I used to turn off RSBAC before starting it. 
>  
>
Probably I will do it also that way ;-).
I plan to use Yast only when there is no other way to perform the needed 
tasks (e.g. automated software updates or special configuration settings 
(where I still need to find where to set them)).

With best regards.
    Patrique Wolfrum

More information about the rsbac mailing list