26

Re: iRedMail and SELinux

alm wrote:

Did you try to send e-mail using Roundcube already?

Yea, I even successfully transferred mail between my RockyLinux mail server and the Oracle mail server. On both sides the httpd_can_sendmail and httpd_can_network_connect_db were turned off. Still no message for those Booleans. It seems like there is some super specific action that requires those two to be on.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

27

Re: iRedMail and SELinux

The list shown with 'sesearch -A -b nis_enabled' is VERY LONG indeed, if I grep dovecot it's still quite long...

sad

28

Re: iRedMail and SELinux

alm wrote:

The list shown with 'sesearch -A -b nis_enabled' is VERY LONG indeed, if I grep dovecot it's still quite long...

sad

big_smile
If your goal is security then you should either use semanage or make a custom policy in order to fix the problems. It is way more specific and secure than nis_enabled. On the other hand if you don't care that much just use nis_enabled.

I managed to run dovecot without problems with the following setup:

semanage port -a -t mail_port_t -p tcp 24242
semanage port -a -t mail_port_t -p tcp 12340

so I'm gonna stick with it.

29

Re: iRedMail and SELinux

- iRedMail version (check /etc/iredmail-release): 1.5.2
- Deployed with iRedMail Easy or the downloadable installer? downloadable installer
- Linux/BSD distribution name and version: RockyLinux 8.5
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? No


Dethwalker,

I want to thank you very much for this primer. I was long ago able to get everything running with SELinux enforcing using sealert EXCEPT amavisd in Rocky. I was toggling setenforce on and off, and booting up in permissive until I used:

semanage port -m -t amavisd_recv_port_t -p tcp 10027
semanage port -m -t amavisd_recv_port_t -p tcp 10026

I was dogging the PID location error all this time.

Thank you for your work and clear discourse on this.

- Montanelli




thedethwalker wrote:

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 1.5.1
- Deployed with iRedMail Easy or the downloadable installer? downloadable installer
- Linux/BSD distribution name and version: RockyLinux 8.5
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? No
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Hello, I just want to report that I was able to run iRedMail with SELinux in enforcing mode.
I haven't tested everything but I was able to create new users and send mail between them without any errors. With this setup SELinux logs were clean.
Here are the things that I had to do:

#ClamAV Antivirus
setsebool -P antivirus_can_scan_system 1

#dovecot
semanage port -a -t mail_port_t -p tcp 24242
semanage port -a -t mail_port_t -p tcp 12340
chcon -R -t mail_home_rw_t /var/vmail
semanage fcontext --add --type mail_home_rw_t --range s0 '/var/vmail(/.*)?'

#nginx
setsebool -P httpd_can_network_connect 1

#Amavis
semanage port -m -t amavisd_recv_port_t -p tcp 10027
semanage port -m -t amavisd_recv_port_t -p tcp 10026

#fail2ban (THIS IS ONLY IF YOU HAVE INSTALLED iRedMal AS root)
#create a file named my-fail2ban.te with these contents:

module my-fail2ban 1.0;

require {
        type fail2ban_t;
        type admin_home_t;
        type mysqld_home_t;
        type mysqld_port_t;
        class file getattr;
        class file { open read };
        class tcp_socket name_connect;
}

#============= fail2ban_t ==============
allow fail2ban_t admin_home_t:file getattr;
allow fail2ban_t mysqld_home_t:file getattr;
allow fail2ban_t admin_home_t:file { open read };
allow fail2ban_t mysqld_port_t:tcp_socket name_connect;

# and then run these commands:

checkmodule -M -m -o my-fail2ban.mod my-fail2ban.te
semodule_package -o my-fail2ban.pp -m my-fail2ban.mod
semodule -i my-fail2ban.pp


That is it.
I know that it is not a good idea to install iRedMail as root user. I was just testing stuff. I will post a solution for a sudo user as well, I just need to do a little more testing. I suspect that not all the problems with SELinux and iRedMail are covered, but more testing is needed so that AVC messages can be generated and analyzed. I could even make a script. Hope this helps.

30

Re: iRedMail and SELinux

montanelli wrote:

Thank you for your work and clear discourse on this.

- Montanelli

I'm glad I could be of help smile

31

Re: iRedMail and SELinux

thedethwalker wrote:
alm wrote:

The list shown with 'sesearch -A -b nis_enabled' is VERY LONG indeed, if I grep dovecot it's still quite long...

sad

big_smile
If your goal is security then you should either use semanage or make a custom policy in order to fix the problems. It is way more specific and secure than nis_enabled. On the other hand if you don't care that much just use nis_enabled.

I managed to run dovecot without problems with the following setup:

semanage port -a -t mail_port_t -p tcp 24242
semanage port -a -t mail_port_t -p tcp 12340

so I'm gonna stick with it.

I've also disabled nis_enabled and added the two rules as above. So far no issues in the last couple of weeks. smile

32

Re: iRedMail and SELinux

alm wrote:

I've also disabled nis_enabled and added the two rules as above. So far no issues in the last couple of weeks. smile

Тhat's some good news. smile