https://bugzilla.redhat.com/show_bug.cgi?id=1029710
Steve Tindall s10dal@elrepo.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(s10dal@elrepo.org | |) |
--- Comment #4 from Steve Tindall s10dal@elrepo.org --- The initial "Description" (see above) may cause some confusion as to what bug I am describing. Initially, I did not recognize the failure of amavisd to run 7za as a SELinux denial and then in Comment 1 described the avc denial issues causing the failure of 7za to list the contents of the zipped file.
On a macro level, I define the bug as amavisd failing to quarantine a mail with a zipped exe attachment under SELinux Enforcing Policy.
By failure to reproduce the bug, do you mean that you created a zipped exe file (as detailed above in Description), attached it to a mail, sent the mail and observed the mail being quarantined/rejected under Enforcing Policy?
Also, the sender should get a rejection notice and a maillog entry containing "...Blocked BANNED (.asc,contains_zip.exe)..." or similar text should be present.
Yes, localamavisd is local SELinux policy described in Comment 1 that allows 7za to be called by amavisd. With localamavisd installed under Enforcing Policy, mail with a zipped exe attachment is quarantined, whereas with localamavisd removed, the mail is transmitted without being quarantined.
Other info:
# rpm -q amavisd-new p7zip selinux-policy selinux-policy-targeted amavisd-new-2.8.0-8.el6.noarch p7zip-9.20.1-2.el6.i686 selinux-policy-3.7.19-231.el6_5.3.noarch selinux-policy-targeted-3.7.19-231.el6_5.3.noarch
# sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 24 Policy from config file: targeted