grsecurity forums

Postfix and courier-imap are complex programs to write a policy for. Learning mode (in my opinion) granted both applications too much access, so I decided to use the output of dmesg to write a policy. Below is my policy. Is my policy granting too much access? How can I better secure it?

Code: Select all

subject /usr/sbin/courierlogger d
        /dev/log                rw

        -CAP_ALL
        +CAP_DAC_OVERRIDE

subject /usr/bin/imapd d
        /var                    h
        /var/mail               rwcdl

subject /usr/sbin/postfix d
        /dev/log                rw

        -CAP_ALL
        +CAP_DAC_OVERRIDE
        +CAP_DAC_READ_SEARCH

subject /usr/lib/postfix dp
        /dev/log                rw
        /var                    h
        /var/run                rwc
        /var/mail               rwcdl
        /var/spool/postfix      rwcdl

        -CAP_ALL
        +CAP_NET_BIND_SERVICE
        +CAP_DAC_OVERRIDE
        +CAP_DAC_READ_SEARCH
        +CAP_SETGID
        +CAP_SETUID
        +CAP_SYS_CHROOT

subject /usr/sbin/postlog d
        /dev/log                rw

        -CAP_ALL
        +CAP_DAC_OVERRIDE
        +CAP_DAC_READ_SEARCH