Issues with and RBAC Policy for Postfix
Posted: Fri Jul 10, 2015 5:09 am
EDIT 2015-07-21 09:01 CET:
IMPORTANT: This topic contains a lot of rambling in wrong direction. So take care not to follow blindly, lots of time lost.
I might however be succeeding at setting the RBAC policy for Postfix right, eventually.
title:
Issues with and RBAC Policy for Postfix
=============================================================
previous title:
A denied seteuid issue with Postfix (Role: root)
---
I have just studied:
The grsecurity Wiki
https://en.wikibooks.org/wiki/Grsecurity
for another bout of not so small number of hours (and I'd like to try and finish my today's posting with what amazed me the most. Because, to me, it's pure and sublime intellectual thrills the honest and capable, sophisticated and eye-opening, programs which there are a few available in the FOSS world, and among which programs, the grsecurity [including PaX] is the leader in the revealing and in the excellence. I'm reserving my telling to you about what amazed me the most in that wikibook, for the last paragraphs of the few posts that I, hopefully, plan to post today in this topic that I've opened on Grsecurity Forums.)
I needed to dedicate another almost a day (just as previously I had dedicated to reading that wikibooks at least a few weekends), because I had stumbled upon my Postfix installation throttling for some reason. And I needed to figure out that reason and resolve it.
The configuration current to the problem is posted complete on:
A no-poetteringware desktop RBAC policy
viewtopic.php?f=5&t=4153#p15354
The most striking issue that I have there, in comparison with what I hoped would be the setup that I would have been able to accomplish, and which is the simple solution that spender gave on:
How to tell what role a process has
viewtopic.php?f=3&t=3913#p13838
[The most striking issue that I have in my current policy available in that other topic in this Forum) is:
I have postfix in role root, and postfix in role postfix, and I don't seem to be able to resolve it and have only the role postfix to suffice for all, as spender has.
I am yet to learn and reduce my policy for postfix (in the role postfix), but I want to show my postfix throttling issue here, and how I'm trying to solve it.
My current postfix configuration has the ' -v's added to smtp, cleanup, qmgr, tlsmgr, trivial-rewrite, bounce and defer in the /etc/postfix/master.cnf according to the advice in the:
Postfix Debugging Howto
http://www.postfix.org/DEBUG_README.html
which I explained in my Gentoo Forum topic:
Postfix not working [to be re-titled]
https://forums.gentoo.org/viewtopic-t-1021456.html
And I'll post the problem as it occurred yesterday (as it did before many times, but understanding the logs is a mastery in itself, takes time too), just after noon, when I tried to send message via my MTA Postfix.
And for the newbies reading this, who will need to delve more intently into it (till they become proficient and spread their wings for real in this arcane and intrigueing knowledge), the main lines are:
See the "throttling" just above?
And above that the "change to uid 0 denied for /usr/libexec/postfix/tlsmgr"?
And further above: "fatal: set_eugid: seteuid(0): Operation not permitted"?
Actually, all the details on the three lines are important!. The first and the third is postfix writing in my /var/log/messages.
And the second is grsec telling what it denied to whom.
The thing is, I had such mail not gets sent issues before, and I knew that sometimes it goes away just if I simply restart postfix, as I did this time too, and the e-mail was then sent, but...
But there may be issues with the restarting! Will try and tell in the next post.
IMPORTANT: This topic contains a lot of rambling in wrong direction. So take care not to follow blindly, lots of time lost.
I might however be succeeding at setting the RBAC policy for Postfix right, eventually.
title:
Issues with and RBAC Policy for Postfix
=============================================================
previous title:
A denied seteuid issue with Postfix (Role: root)
---
I have just studied:
The grsecurity Wiki
https://en.wikibooks.org/wiki/Grsecurity
for another bout of not so small number of hours (and I'd like to try and finish my today's posting with what amazed me the most. Because, to me, it's pure and sublime intellectual thrills the honest and capable, sophisticated and eye-opening, programs which there are a few available in the FOSS world, and among which programs, the grsecurity [including PaX] is the leader in the revealing and in the excellence. I'm reserving my telling to you about what amazed me the most in that wikibook, for the last paragraphs of the few posts that I, hopefully, plan to post today in this topic that I've opened on Grsecurity Forums.)
I needed to dedicate another almost a day (just as previously I had dedicated to reading that wikibooks at least a few weekends), because I had stumbled upon my Postfix installation throttling for some reason. And I needed to figure out that reason and resolve it.
The configuration current to the problem is posted complete on:
A no-poetteringware desktop RBAC policy
viewtopic.php?f=5&t=4153#p15354
The most striking issue that I have there, in comparison with what I hoped would be the setup that I would have been able to accomplish, and which is the simple solution that spender gave on:
How to tell what role a process has
viewtopic.php?f=3&t=3913#p13838
[The most striking issue that I have in my current policy available in that other topic in this Forum) is:
I have postfix in role root, and postfix in role postfix, and I don't seem to be able to resolve it and have only the role postfix to suffice for all, as spender has.
I am yet to learn and reduce my policy for postfix (in the role postfix), but I want to show my postfix throttling issue here, and how I'm trying to solve it.
My current postfix configuration has the ' -v's added to smtp, cleanup, qmgr, tlsmgr, trivial-rewrite, bounce and defer in the /etc/postfix/master.cnf according to the advice in the:
Postfix Debugging Howto
http://www.postfix.org/DEBUG_README.html
which I explained in my Gentoo Forum topic:
Postfix not working [to be re-titled]
https://forums.gentoo.org/viewtopic-t-1021456.html
And I'll post the problem as it occurred yesterday (as it did before many times, but understanding the logs is a mastery in itself, takes time too), just after noon, when I tried to send message via my MTA Postfix.
- Code: Select all
Jul 9 12:07:11 g0n postfix/smtp[26191]: initializing the client-side TLS engine
Jul 9 12:07:11 g0n kernel: grsec: (root:U:/usr/libexec/postfix) exec of /usr/libexec/postfix/tlsmgr (tlsmgr -l -t unix -u -v ) by /usr/libexec/postfix/tlsmgr[master:26192] uid/euid:0/0 gid/egid:0/0, parent /usr/libexec/postfix/master[master:3006] uid/euid:0/0 gid/egid:0/0
Jul 9 12:07:11 g0n postfix/tlsmgr[26192]: name_mask: ipv4
Jul 9 12:07:11 g0n kernel: grsec: (root:U:/usr/libexec/postfix) chdir to /var/spool/postfix by /usr/libexec/postfix/tlsmgr[tlsmgr:26192] uid/euid:0/0 gid/egid:0/0, parent /usr/libexec/postfix/master[master:3006] uid/euid:0/0 gid/egid:0/0
Jul 9 12:07:11 g0n postfix/tlsmgr[26192]: name_mask: host
Jul 9 12:07:11 g0n postfix/tlsmgr[26192]: inet_addr_local: configured 3 IPv4 addresses
Jul 9 12:07:11 g0n postfix/tlsmgr[26192]: mynetworks_core: 127.0.0.1/32
Jul 9 12:07:11 g0n postfix/tlsmgr[26192]: process generation: 23 (23)
Jul 9 12:07:11 g0n postfix/tlsmgr[26192]: tls_prng_dev_open: opened entropy device /dev/urandom
Jul 9 12:07:11 g0n postfix/tlsmgr[26192]: set_eugid: euid 207 egid 207
Jul 9 12:07:11 g0n postfix/tlsmgr[26192]: tls_prng_exch_open: opened PRNG exchange file /var/lib/postfix/prng_exch
Jul 9 12:07:11 g0n postfix/tlsmgr[26192]: name_mask: 3
Jul 9 12:07:11 g0n postfix/tlsmgr[26192]: warning: request to update table btree:/etc/postfix/smtp_scache in non-postfix directory /etc/postfix
Jul 9 12:07:11 g0n postfix/tlsmgr[26192]: warning: redirecting the request to postfix-owned data_directory /var/lib/postfix
Jul 9 12:07:11 g0n postfix/tlsmgr[26192]: open smtp TLS cache btree:/var/lib/postfix/smtp_scache
Jul 9 12:07:11 g0n postfix/tlsmgr[26192]: Compiled against Berkeley DB: 6.0.30?
Jul 9 12:07:11 g0n postfix/tlsmgr[26192]: Run-time linked against Berkeley DB: 6.0.30?
Jul 9 12:07:11 g0n postfix/tlsmgr[26192]: dict_open: btree:/var/lib/postfix/smtp_scache
Jul 9 12:07:11 g0n postfix/tlsmgr[26192]: fatal: set_eugid: seteuid(0): Operation not permitted
Jul 9 12:07:11 g0n kernel: grsec: (root:U:/usr/libexec/postfix) change to uid 0 denied for /usr/libexec/postfix/tlsmgr[tlsmgr:26192] uid/euid:0/207 gid/egid:0/207, parent /usr/libexec/postfix/master[master:3006] uid/euid:0/0 gid/egid:0/0
Jul 9 12:07:12 g0n postfix/master[3006]: warning: process /usr/libexec/postfix/tlsmgr pid 26192 exit status 1
Jul 9 12:07:12 g0n postfix/master[3006]: warning: /usr/libexec/postfix/tlsmgr: bad command startup -- throttling
Jul 9 12:07:15 g0n postfix/qmgr[3008]: qmgr_scan_start: start deferred queue scan
Jul 9 12:07:15 g0n postfix/qmgr[3008]: done deferred queue scan
Jul 9 12:07:15 g0n postfix/qmgr[3008]: trigger_server_accept_local: trigger arrived
Jul 9 12:07:15 g0n postfix/qmgr[3008]: master_notify: status 0
Jul 9 12:07:15 g0n postfix/qmgr[3008]: request: 87 (W)
Jul 9 12:07:15 g0n postfix/qmgr[3008]: request: 0 (?)
Jul 9 12:07:15 g0n postfix/qmgr[3008]: request ignored
Jul 9 12:07:15 g0n postfix/qmgr[3008]: qmgr_scan_start: start incoming queue scan
Jul 9 12:07:15 g0n postfix/qmgr[3008]: master_notify: status 1
Jul 9 12:07:15 g0n postfix/qmgr[3008]: done incoming queue scan
Jul 9 12:07:16 g0n postfix/cleanup[26188]: rewrite stream disconnect
Jul 9 12:07:16 g0n postfix/trivial-rewrite[26190]: connection closed fd 128
Jul 9 12:07:16 g0n postfix/qmgr[3008]: rewrite stream disconnect
Jul 9 12:07:16 g0n postfix/trivial-rewrite[26190]: connection closed fd 129
And for the newbies reading this, who will need to delve more intently into it (till they become proficient and spread their wings for real in this arcane and intrigueing knowledge), the main lines are:
- Code: Select all
Jul 9 12:07:11 g0n postfix/tlsmgr[26192]: fatal: set_eugid: seteuid(0): Operation not permitted
Jul 9 12:07:11 g0n kernel: grsec: (root:U:/usr/libexec/postfix) change to uid 0 denied for /usr/libexec/postfix/tlsmgr[tlsmgr:26192] uid/euid:0/207 gid/egid:0/207, parent /usr/libexec/postfix/master[master:3006] uid/euid:0/0 gid/egid:0/0
Jul 9 12:07:12 g0n postfix/master[3006]: warning: process /usr/libexec/postfix/tlsmgr pid 26192 exit status 1
Jul 9 12:07:12 g0n postfix/master[3006]: warning: /usr/libexec/postfix/tlsmgr: bad command startup -- throttling
See the "throttling" just above?
And above that the "change to uid 0 denied for /usr/libexec/postfix/tlsmgr"?
And further above: "fatal: set_eugid: seteuid(0): Operation not permitted"?
Actually, all the details on the three lines are important!. The first and the third is postfix writing in my /var/log/messages.
And the second is grsec telling what it denied to whom.
The thing is, I had such mail not gets sent issues before, and I knew that sometimes it goes away just if I simply restart postfix, as I did this time too, and the e-mail was then sent, but...
But there may be issues with the restarting! Will try and tell in the next post.