Bug 955189 - SELinux prevents amavisd to execute 7za
Summary: SELinux prevents amavisd to execute 7za
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.4
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Michal Trunecka
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-04-22 14:07 UTC by William Lovaton
Modified: 2014-09-30 23:34 UTC (History)
5 users (show)

Fixed In Version: selinux-policy-3.7.19-210.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-11-21 10:23:28 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2013:1598 0 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2013-11-20 21:39:24 UTC

Description William Lovaton 2013-04-22 14:07:10 UTC
After upgrading my gateway mail server from RHEL 6.3 to RHEL 6.4 SELinux is showing the following:

type=AVC msg=audit(1366639171.849:29610): avc:  denied  { execute } for  pid=25790 comm="amavisd" name="bash" dev=dm-0 ino=38 scontext=system_u:system_r:amavis_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1366639171.849:29610): arch=c000003e syscall=59 success=yes exit=0 a0=6310e10 a1=4f036a0 a2=6128570 a3=8 items=0 ppid=25745 pid=25790 auid=0 uid=495 gid=491 euid=495 suid=495 fsuid=495 egid=491 sgid=491 fsgid=491 tty=(none) ses=652 comm="7za" exe="/bin/bash" subj=system_u:system_r:amavis_t:s0 key=(null)


It would seem it's not letting amavis to execute 7za.  The weird thing is that it was working fine in RHEL 6.3.  I'm going to create a local policy module to allow the access but I'd like to know your point of view regarding this AVC.

Thanks a lot.

Comment 1 Daniel Walsh 2013-04-22 14:46:02 UTC
We have this allowed in F19.

Might be an updated version of amavisd.

Miroslave we probably shold back port the other fixes in the te file.

Comment 2 William Lovaton 2013-04-22 14:52:27 UTC
Yep, you are right, EPEL updated Amavis from 2.6.4 to 2.8.0 and I applied those too after upgrading RHEL to 6.4.

Comment 3 Miroslav Grepl 2013-04-23 08:01:38 UTC
Yes, basically I want to back port

# seinfo -xtamavis_t
   TypeName antivirus_t
   Aliases
      amavis_t
      clamd_t
      freshclam_t
      clamscan_t

Comment 8 Miroslav Grepl 2013-08-06 08:03:16 UTC
I merged 

      amavis_t
      clamd_t
      freshclam_t
      clamscan_t

to antivirus_t.

Comment 11 errata-xmlrpc 2013-11-21 10:23:28 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1598.html


Note You need to log in before you can comment on or make changes to this bug.