Re: default MTA for sarge
On Wed, 16 Jul 2003 23:00, Bernhard R. Link wrote:
> * Russell Coker <russell@coker.com.au> [030716 04:11]:
> > My SE Linux policy for Postfix and Qmail has different domains for each
> > of the common daemon processes, this gives them greater isolation from
> > each other and the rest of the system than they normally get.
>
> That's an advantage in the current situation for postfix. (But not even
> in the standard installation.)
I'm sure that there are other security system that will also allow better
control of Postfix than Sendmail for the same reason. Any system based on
the domain-type model that only permits domain transitions across exec (such
as SE Linux) and any system with security based on ACLs for process name (I
believe that GRSec is one example of this) will have less ability to usefully
restrict sendmail than they will have to usefully restrict Postfix.
Systrace could probably do some useful things with Sendmail, but you would
have to write your own control program for it (from my understanding the
default one does not do what you would desire for this).
> to user ids. A monolithic secure design with SELinux in mind would
> not only drop uid-privileges but also roles, thus gaining similar
Normally a daemon never runs any program in a role other than "system_r", and
domain transitions only happen at exec time. This is why we can have
different domains for different parts of Postfix but not for different parts
of Sendmail. If Sendmail was to exec() itself at various milestones in the
delivery of a message then things would be different.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
Reply to: