21.12.2024 16:30, Tomasz Pala via Postfix-users wrote:
The real problem is I can't really confine local, as it's the same CGroup as the rest of postfix, so the holes punched for example for postfix-script cannot be sealed and are kept for good.
As I demonstrated before, it's rather trivial to omit punching holes for postfix-script. ExecStartPre = + postfix check-fatal ExecStartPre = + postfix check-warn ExecStartPre = touch /var/spool/postfix/quick-start ExecStart = postfix start plus a few other workarounds for lack of cap-dac-override. You can remove many capabilities already (cap-net-admin, keep cap-net-service only, etc). /mjt _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
