https://bugzilla.redhat.com/show_bug.cgi?id=1029710
--- Comment #1 from Steve Tindall s10dal@elrepo.org --- Looks like this was caused by an SELinux policy issue.
With Enforcing policy, an avc denial was observed when amavisd attempted to initiate scanning of a zipped file:
type=AVC msg=audit(1385822144.846:122761): avc: denied { execute } for pid=18479 comm="amavisd" name="bash" dev=dm-0 ino=131411 scontext=system_u:system_r:amavis_t:s0
##########
Moving the system to Permissive mode allowed listing of the zipped fileā²s contents by 7za as called by amavisd. Several amavisd and 7za avc denials appeared in the audit log as a result:
type=AVC msg=audit(1385822245.350:122763): avc: denied { execute } for pid=18520 comm="amavisd" name="bash" dev=dm-0 ino=131411 scontext=system_u:system_r:amavis_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
type=AVC msg=audit(1385822245.350:122763): avc: denied { read open } for pid=18520 comm="amavisd" name="bash" dev=dm-0 ino=131411 scontext=system_u:system_r:amavis_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
type=AVC msg=audit(1385822245.502:122764): avc: denied { search } for pid=18521 comm="7za" name="/" dev=sysfs ino=1 scontext=system_u:system_r:amavis_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
type=AVC msg=audit(1385822245.502:122764): avc: denied { read } for pid=18521 comm="7za" name="cpu" dev=sysfs ino=22 scontext=system_u:system_r:amavis_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
type=AVC msg=audit(1385822245.502:122764): avc: denied { open } for pid=18521 comm="7za" name="cpu" dev=sysfs ino=22 scontext=system_u:system_r:amavis_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
##########
The Fix:
Enabling an SELinux policy boolean and implementing local amavisd SELinux policy allowed scanning of zipped files in Enforcing mode:
1) # setsebool -P antivirus_can_scan_system 1
2) # cat localamavisd.te
module localamavisd 1.0;
require { type amavis_t; type shell_exec_t; class file execute; }
#============= amavis_t ============== allow amavis_t shell_exec_t:file execute;
##########
Without the antivirus_can_scan_system boolean set, additional amavisd and 7za avc denials were observed (see above), which could be corrected using local policy, but it was much simpler to enable antivirus_can_scan_system.
With the two listed SELinux policy changes, this issue is resolved locally. It may be desirable to incorporate changes in SELinux policy module amavis 1.10.3 to globally resolve the attachment scanning issue observed here.