Table of Contents
1 Install AppArmor
Install AppArmor with this article.
2 Modify and apply Postfix profile
Copy profiles according to /usr/share/doc/apparmor-profiles/extras/README.
$ cd /usr/share/doc/apparmor-profiles/extras/$ sudo cp ./*postfix* usr.sbin.post* /etc/apparmor.d/$ sudo cp usr.bin.procmail usr.sbin.sendmail /etc/apparmor.d/
Modify /etc/apparmor.d/usr.sbin.postdrop and /etc/apparmor.d/usr.sbin.sendmail. This patch is created by DENIED message.
cd /etc/apparmor.d/cat <<EOF | sudo patch -p1— a/usr.sbin.postdrop 2017-03-16 10:11:02.000000000 +0900+++ b/usr.sbin.postdrop 2017-06-15 01:38:43.872475626 +0900@@ -30,5 +30,7 @@ /var/spool/postfix/maildrop r, /var/spool/postfix/maildrop/* rwl, /var/spool/postfix/pid r,- /var/spool/postfix/public/pickup w,+ /var/spool/postfix/public/pickup rw,++ unix peer=(label=/usr/sbin/sendmail), }You have mail in /var/mail/hiroom2EOFcat <<EOF | sudo patch -p1— a/usr.sbin.sendmail 2017-03-16 10:11:02.000000000 +0900+++ b/usr.sbin.sendmail 2017-06-15 01:37:47.523847207 +0900@@ -87,4 +87,6 @@ /var/spool/postfix/public/showq w, /var/spool/postfix r, /var/spool/postfix/saved r,++ unix peer=(label=/usr/sbin/postdrop), }EOF
Enforce profile.
$ sudo aa-enforce /etc/apparmor.d/*postfix*$ sudo aa-enforce /etc/apparmor.d/usr.sbin.post*$ sudo aa-enforce /etc/apparmor.d/usr.bin.procmail$ sudo aa-enforce /etc/apparmor.d/usr.sbin.sendmail
