> On Jul 13, 2018, at 14:47, Andreas Büthe <[email protected]> wrote: > > The version used is 'amavisd-new 2.11.0-2el7' (CentOS 7 from epel) without > chroot. I checked basics like the suid bit on /usr/bin/sudo, the filesystem / > where /usr resides on is not mounted 'nosuid', SELinux is currently disabled > for testing purposes, etc. > I somehow assume that my problem has to do with the read-only filesystem > remounts in the amavis worker.
Systemd unit file from epel has some interesting security settings. /usr/lib/systemd/system/amavisd.service: #the bounding set is reset to the empty capability set CapabilityBoundingSet= #mounts /usr /boot /etc directories read-only for processes invoked by this unit ProtectSystem=full
