Bug 2303826

Summary: Unable to send mail notification, when an virus will found.
Product: [Fedora] Fedora EPEL Reporter: Frank Büttner <bugzilla>
Component: clamavAssignee: Orion Poplawski <orion>
Status: NEW --- QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: epel9CC: anon.amish, bennie.joubert, gk, j, lee.jnk, ondrejj, orion, pgnd, redhat-bugzilla, rh-bugzilla, steve
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Frank Büttner 2024-08-09 07:10:06 UTC 
Description of problem:
When clamav via clamav-milter found an virus, and it is configured to  send an mail, the mail can't be send during an selinux error.

Version-Release number of selected component (if applicable):
clamav-milter-1.0.6-1.el9.x86_64

How reproducible:
Every time

Steps to Reproduce:
1. Postfix send an infected mail for testing to clamav via clamav-milter
2. the clamav-milter see the virus
3. clamav-milter try to send the mail.

Actual results:
Sending fails with an selinux error 


Expected results:
That the mail is send.

Additional info:
It was happens since an update, because the config was not changed, and it was working.

Errors:
clamav-milter log:
Aug 09 09:08:31 postfix/postdrop[197918]: warning: mail_queue_enter: create file maildrop/411576.197918: Permission denie

audit log:
type=AVC msg=audit(1721299325.046:7143): avc:  denied  { nnp_transition } for  pid=190685 comm="virus-alert" scontext=system_u:system_r:antivirus_t:s0 tcontext=system_u:system_r:system_mail_t:s0 tclass=process2 permissive=0
type=AVC msg=audit(1723109567.738:5682): avc:  denied  { nnp_transition } for  pid=170573 comm="virus-alert" scontext=system_u:system_r:antivirus_t:s0 tcontext=system_u:system_r:system_mail_t:s0 tclass=process2 permissive=0
type=AVC msg=audit(1723186607.343:6666): avc:  denied  { nnp_transition } for  pid=197859 comm="virus-alert" scontext=system_u:system_r:antivirus_t:s0 tcontext=system_u:system_r:system_mail_t:s0 tclass=process2 permissive=0
type=AVC msg=audit(1723186691.370:6670): avc:  denied  { nnp_transition } for  pid=197917 comm="virus-alert" scontext=system_u:system_r:antivirus_t:s0 tcontext=system_u:system_r:system_mail_t:s0 tclass=process2 permissive=1

Relevant configs:
clamav-milter:
VirusAction /usr/local/bin/virus-alert

ls -laZ  /usr/local/bin/virus-alert:
-r-xr-x---. 1 clamilt root system_u:object_r:bin_t:s0 1003  8. Dez 2023  /usr/local/bin/virus-alert
Comment 1 Orion Poplawski 2024-08-10 03:49:19 UTC 
clamav does not (yet) carry its own selinux policy, so I think this is going to need to be addressed at the moment in the selinux-policy package in RHEL.  So I think this needs to be reported at https://issues.redhat.com.
Comment 2 Fedora Admin user for bugzilla script actions 2025-06-21 03:41:02 UTC 
This package has changed maintainer in Fedora. Reassigning to the new maintainer of this component.