[Bug 1029710] Amavisd fails to identify attached zipped files with .exe extensions

[bugzilla]

https://bugzilla.redhat.com/show_bug.cgi?id=1029710



--- Comment #1 from Steve Tindall <s10...@elrepo.org> ---
Looks like this was caused by an SELinux policy issue.

With Enforcing policy, an avc denial was observed when amavisd attempted to
initiate scanning of a zipped file:

 type=AVC msg=audit(1385822144.846:122761): avc:  denied  { execute } for 
pid=18479 comm="amavisd" name="bash" dev=dm-0 ino=131411
scontext=system_u:system_r:amavis_t:s0

##########

Moving the system to Permissive mode allowed listing of the zipped file′s
contents by 7za as called by amavisd. Several amavisd and 7za avc denials
appeared in the audit log as a result:

 type=AVC msg=audit(1385822245.350:122763): avc:  denied  { execute } for 
pid=18520 comm="amavisd" name="bash" dev=dm-0 ino=131411
scontext=system_u:system_r:amavis_t:s0
tcontext=system_u:object_r:shell_exec_t:s0 tclass=file

 type=AVC msg=audit(1385822245.350:122763): avc:  denied  { read open } for 
pid=18520 comm="amavisd" name="bash" dev=dm-0 ino=131411
scontext=system_u:system_r:amavis_t:s0
tcontext=system_u:object_r:shell_exec_t:s0 tclass=file

 type=AVC msg=audit(1385822245.502:122764): avc:  denied  { search } for 
pid=18521 comm="7za" name="/" dev=sysfs ino=1
scontext=system_u:system_r:amavis_t:s0 tcontext=system_u:object_r:sysfs_t:s0
tclass=dir

 type=AVC msg=audit(1385822245.502:122764): avc:  denied  { read } for 
pid=18521 comm="7za" name="cpu" dev=sysfs ino=22
scontext=system_u:system_r:amavis_t:s0 tcontext=system_u:object_r:sysfs_t:s0
tclass=dir

 type=AVC msg=audit(1385822245.502:122764): avc:  denied  { open } for 
pid=18521 comm="7za" name="cpu" dev=sysfs ino=22
scontext=system_u:system_r:amavis_t:s0 tcontext=system_u:object_r:sysfs_t:s0
tclass=dir

##########

The Fix:

Enabling an SELinux policy boolean and implementing local amavisd SELinux
policy allowed scanning of zipped files in Enforcing mode:

1)  # setsebool -P antivirus_can_scan_system 1

2)  # cat localamavisd.te

    module localamavisd 1.0;

    require {
        type amavis_t;
        type shell_exec_t;
        class file execute;
    }

    #============= amavis_t ==============
    allow amavis_t shell_exec_t:file execute;

##########

Without the antivirus_can_scan_system boolean set, additional amavisd and 7za
avc denials were observed (see above), which could be corrected using local
policy, but it was much simpler to enable antivirus_can_scan_system.

With the two listed SELinux policy changes, this issue is resolved locally. It
may be desirable to incorporate changes in SELinux policy module amavis 1.10.3
to globally resolve the attachment scanning issue observed here.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug 
https://bugzilla.redhat.com/token.cgi?t=GBfRVrBd6Z&a=cc_unsubscribe
--
Fedora Extras Perl SIG
http://www.fedoraproject.org/wiki/Extras/SIGs/Perl
perl-devel mailing list
perl-devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/perl-devel