https://bugzilla.redhat.com/show_bug.cgi?id=1029710 --- Comment #1 from Steve Tindall <s10dal@xxxxxxxxxx> --- Looks like this was caused by an SELinux policy issue. With Enforcing policy, an avc denial was observed when amavisd attempted to initiate scanning of a zipped file: type=AVC msg=audit(1385822144.846:122761): avc: denied { execute } for pid=18479 comm="amavisd" name="bash" dev=dm-0 ino=131411 scontext=system_u:system_r:amavis_t:s0 ########## Moving the system to Permissive mode allowed listing of the zipped file′s contents by 7za as called by amavisd. Several amavisd and 7za avc denials appeared in the audit log as a result: type=AVC msg=audit(1385822245.350:122763): avc: denied { execute } for pid=18520 comm="amavisd" name="bash" dev=dm-0 ino=131411 scontext=system_u:system_r:amavis_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file type=AVC msg=audit(1385822245.350:122763): avc: denied { read open } for pid=18520 comm="amavisd" name="bash" dev=dm-0 ino=131411 scontext=system_u:system_r:amavis_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file type=AVC msg=audit(1385822245.502:122764): avc: denied { search } for pid=18521 comm="7za" name="/" dev=sysfs ino=1 scontext=system_u:system_r:amavis_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir type=AVC msg=audit(1385822245.502:122764): avc: denied { read } for pid=18521 comm="7za" name="cpu" dev=sysfs ino=22 scontext=system_u:system_r:amavis_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir type=AVC msg=audit(1385822245.502:122764): avc: denied { open } for pid=18521 comm="7za" name="cpu" dev=sysfs ino=22 scontext=system_u:system_r:amavis_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir ########## The Fix: Enabling an SELinux policy boolean and implementing local amavisd SELinux policy allowed scanning of zipped files in Enforcing mode: 1) # setsebool -P antivirus_can_scan_system 1 2) # cat localamavisd.te module localamavisd 1.0; require { type amavis_t; type shell_exec_t; class file execute; } #============= amavis_t ============== allow amavis_t shell_exec_t:file execute; ########## Without the antivirus_can_scan_system boolean set, additional amavisd and 7za avc denials were observed (see above), which could be corrected using local policy, but it was much simpler to enable antivirus_can_scan_system. With the two listed SELinux policy changes, this issue is resolved locally. It may be desirable to incorporate changes in SELinux policy module amavis 1.10.3 to globally resolve the attachment scanning issue observed here. -- You are receiving this mail because: You are on the CC list for the bug. Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=GBfRVrBd6Z&a=cc_unsubscribe -- Fedora Extras Perl SIG http://www.fedoraproject.org/wiki/Extras/SIGs/Perl perl-devel mailing list perl-devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/perl-devel
