Hello,
last profile for this night: amavisd
I'm using this profile on some servers, which means it is complete - at
least for my usecase. Depending on the virus scanner you use, you'll
probably need to add more ix (or Px) rules.
Hmm, maybe it would be better to give each virus scanner its own child
profile where it can
a) read everything it needs to run ("grep clam profile_below")
b) read the directory where amavis temporarily stores the mail
c) write nothing ;-) (especially not in /var/spool/amavis/)
I added inline comments (###) to explain some details - those should
probably also be included in the profile. While adding the comments, I
also noticed some strange[tm] things, but I'm too tired to change them
now ;-)
# Last Modified: Sun Mar 4 11:07:40 2012
#include <tunables/global>
/usr/sbin/amavisd {
#include <abstractions/authentication>
#include <abstractions/base>
#include <abstractions/consoles>
### I use mysql for storing my mail domains and users
#include <abstractions/mysql>
#include <abstractions/nameservice>
#include <abstractions/perl>
capability chown,
capability dac_override,
capability kill,
capability setgid,
capability setuid,
capability sys_tty_config,
### amavis tries to rename its config file to make to make sure it does
### NOT have permissions to do it. See
### https://lists.ubuntu.com/archives/apparmor/2011-March/000991.html
### https://lists.ubuntu.com/archives/apparmor/2011-April/000997.html
### for the reason why we need those rules.
deny /etc/amavisd.conf w,
deny /etc/amavisd.conf.moved w,
/bin/cpio rix,
/bin/gzip rix,
/etc/amavisd.conf r,
### amavisd.conf.local is specific for my setup - probably I should move
### this rule to the local/ sniplet
owner /etc/amavisd.conf.local r,
/etc/clamd.conf r,
/etc/magic r,
/etc/mail/spamassassin r,
/etc/mail/spamassassin/ r,
/etc/mail/spamassassin/* r,
owner /proc/uptime r,
/sys/devices/system/cpu/online r,
/tmp/PerlIO_* w,
/tmp/file?????? wk,
/usr/bin/bzip2 rix,
/usr/bin/cabextract rix,
/usr/bin/clamscan rix,
/usr/bin/file rix,
/usr/bin/lha rix,
/usr/bin/pax rix,
/usr/bin/perl ix,
/usr/bin/rpm2cpio rix,
/usr/bin/unarj rix,
/usr/bin/unrar rix,
### rules for usr/bin/uptime should be merged - mr + px doesn't really
### make sense
owner /usr/bin/uptime mr,
/usr/bin/uptime px,
/usr/sbin/amavisd mr,
/usr/share/misc/magic.mgc r,
/usr/share/spamassassin r, ### this one is outdated...
/usr/share/spamassassin/ r,
/usr/share/spamassassin/* r,
/var/lib/clamav r, ### also outdated
/var/lib/clamav/** r,
/var/lib/clamav/.dbLock rw,
owner /var/lib/clamav/clamd-socket w,
/var/lib/clamav/clamd-socket r,
/var/lib/clamav/daily.inc/.dbLock rw,
/var/lib/clamav/main.inc/.dbLock rw,
/var/run/nscd/services r,
owner /var/run/utmp rwk,
/var/spool/amavis/** rwl,
owner /var/spool/amavis/amavisd.lock k,
/var/spool/amavis/amavisd.lock rwl,
}
For completeness:
# Last Modified: Fri Mar 6 21:50:15 2009
#include <tunables/global>
/usr/bin/uptime flags=(complain) {
#include <abstractions/base>
#include <abstractions/consoles>
/proc/loadavg r,
/proc/uptime r,
/usr/bin/uptime mr,
/var/run/utmp rwk,
}
Regards,
Christian Boltz
--
> Wie zaehlt man eine Person zu seiner Freundin?
Ist doch ganz einfach:
Freundin
+ Person
----------
FrÜØ×àÚµ [Henning Sponbiel und
Ich frage mich nur, was man davon hat. Andreas Ferber in dtb]
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
