This article will describe modifying Postfix profile and enforce it to AppArmor.
Table of Contents
1 Install AppArmor
Install AppArmor with this article.
2 Modify and apply Postfix profile
Copy profiles according to /usr/share/doc/apparmor-profiles/extras/README.
$ cd /usr/share/doc/apparmor-profiles/extras/ $ sudo cp ./*postfix* usr.sbin.post* /etc/apparmor.d/ $ sudo cp usr.bin.procmail usr.sbin.sendmail /etc/apparmor.d/
Modify /etc/apparmor.d/usr.sbin.postdrop and /etc/apparmor.d/usr.sbin.sendmail. This patch is created by DENIED message.
cd /etc/apparmor.d/ cat <<EOF | sudo patch -p1 --- a/usr.sbin.postdrop 2017-03-16 10:11:02.000000000 +0900 +++ b/usr.sbin.postdrop 2017-06-15 01:38:43.872475626 +0900 @@ -30,5 +30,7 @@ /var/spool/postfix/maildrop r, /var/spool/postfix/maildrop/* rwl, /var/spool/postfix/pid r, - /var/spool/postfix/public/pickup w, + /var/spool/postfix/public/pickup rw, + + unix peer=(label=/usr/sbin/sendmail), } You have mail in /var/mail/hiroom2 EOF cat <<EOF | sudo patch -p1 --- a/usr.sbin.sendmail 2017-03-16 10:11:02.000000000 +0900 +++ b/usr.sbin.sendmail 2017-06-15 01:37:47.523847207 +0900 @@ -87,4 +87,6 @@ /var/spool/postfix/public/showq w, /var/spool/postfix r, /var/spool/postfix/saved r, + + unix peer=(label=/usr/sbin/postdrop), } EOF
Enforce profile.
$ sudo aa-enforce /etc/apparmor.d/*postfix* $ sudo aa-enforce /etc/apparmor.d/usr.sbin.post* $ sudo aa-enforce /etc/apparmor.d/usr.bin.procmail $ sudo aa-enforce /etc/apparmor.d/usr.sbin.sendmail