Ubuntu 16.04: Enforce Postfix profile to AppArmor

This article will describe modifying Postfix profile and enforce it to AppArmor.

 

 

1 Install AppArmor

Install AppArmor with this article.

2 Modify and apply Postfix profile

Copy profiles according to /usr/share/doc/apparmor-profiles/extras/README.

$ cd /usr/share/doc/apparmor-profiles/extras/
$ sudo cp ./*postfix* usr.sbin.post* /etc/apparmor.d/
$ sudo cp usr.bin.procmail usr.sbin.sendmail /etc/apparmor.d/

Modify /etc/apparmor.d/usr.sbin.postdrop and /etc/apparmor.d/usr.sbin.sendmail. This patch is created by DENIED message.

cd /etc/apparmor.d/
cat <<EOF | sudo patch -p1
--- a/usr.sbin.postdrop   2017-03-16 10:11:02.000000000 +0900
+++ b/usr.sbin.postdrop   2017-06-15 01:38:43.872475626 +0900
@@ -30,5 +30,7 @@
   /var/spool/postfix/maildrop r,
   /var/spool/postfix/maildrop/* rwl,
   /var/spool/postfix/pid r,
-  /var/spool/postfix/public/pickup w,
+  /var/spool/postfix/public/pickup rw,
+
+  unix peer=(label=/usr/sbin/sendmail),
 }
You have mail in /var/mail/hiroom2
EOF
cat <<EOF | sudo patch -p1
--- a/usr.sbin.sendmail   2017-03-16 10:11:02.000000000 +0900
+++ b/usr.sbin.sendmail   2017-06-15 01:37:47.523847207 +0900
@@ -87,4 +87,6 @@
   /var/spool/postfix/public/showq          w,
   /var/spool/postfix                       r,
   /var/spool/postfix/saved                 r,
+
+  unix peer=(label=/usr/sbin/postdrop),
 }
EOF

Enforce profile.

$ sudo aa-enforce /etc/apparmor.d/*postfix*
$ sudo aa-enforce /etc/apparmor.d/usr.sbin.post*
$ sudo aa-enforce /etc/apparmor.d/usr.bin.procmail
$ sudo aa-enforce /etc/apparmor.d/usr.sbin.sendmail