Page 1 of 1

Process-greedy postfix and NPROC for pipe

PostPosted: Mon Oct 31, 2011 3:46 pm
by salam
Hi,

I am trying to set up limits for processes, but not quite sure what the mail system does on the host. There are very few users - exactly 56. But still, i'm receiving logs like this:

Code: Select all
kernel: grsec: From 87.x.x.x: (root:U:/usr/lib64/postfix/pipe) denied resource overstep by requesting 401 for RLIMIT_NPROC against limit 120 for /usr/lib64/postfix/pipe[pipe:11622] uid/euid:0/207 gid/egid:0/207, parent /usr/lib64/postfix/master[master:11444] uid/euid:0/0 gid/egid:0/0


401??? Ok, so i increased this to RES_NPROC 450 500....only to immediately see this:

Code: Select all
kernel: grsec: From 87.x.x.x: (root:U:/usr/lib64/postfix/pipe) denied resource overstep by requesting 521 for RLIMIT_NPROC against limit 450 for /usr/lib64/postfix/pipe[pipe:14507] uid/euid:0/207 gid/egid:0/207, parent /usr/lib64/postfix/master[master:11444] uid/euid:0/0 gid/egid:0/0


Did someone here experience similar issues?

----------------------------------

The second issue I have is this message:
Code: Select all
kernel: grsec: From 87.x.x.x: denied resource overstep by requesting 117 for RLIMIT_NPROC against limit 30 for /usr/lib64/postfix/pipe[pipe:17835] uid/euid:0/207 gid/egid:0/207, parent /usr/lib64/postfix/master[master:11444] uid/euid:0/0 gid/egid:0/0


As you can see, there is no role and subject information, so i'm not quite sure where to apply the restriction. Also, where this "30" limit comes from.

This is the current ACL for pipe under root role:
Code: Select all
subject /usr/lib64/postfix/pipe {
bind   0.0.0.0/32:0 stream ip
RES_NPROC 120 130
connect disabled
sock_allow_family unix inet netlink
}


And this one is for "postfix" role (that's UID 207)
Code: Select all
subject /usr/lib64/postfix/pipe {
RES_NPROC 120 130
}


I don't see any 30 NPROC there...

Thanks for any hints...