==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 1.6.1
- Deployed with iRedMail Easy or the downloadable installer? downloadable installer
- Linux/BSD distribution name and version: Rocky Linux 8.6
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): LDAP
- Web server (Apache or Nginx): nginx
- Manage mail accounts with iRedAdmin-Pro? No
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

iRedMail is installed with disabled SELinux. But enabling SELinux increases security of the mail server. That is why I enable SELinux after iRedMail installation. I'll show how I do it. Maybe someone will find it useful for himself.

I use the following configuration: Rocky Linux 8.6 x86_64, mail accounts are stored in LDAP, the web server is nginx, mlmmj and netdata are not used. If you have a different configuration, your mileage may vary.

First of all I switch SELinux over to permissive mode. It can be done by replacing the line

SELINUX=disabled

with the line

SELINUX=permissive

in /etc/selinux/config and rebooting. Now SELinux is still not forced, but one may see SELinux errors in /etc/audit/audit.log as if it were forced. After that I set

sudo setsebool -P antivirus_can_scan_system on
sudo setsebool -P domain_can_mmap_files on
sudo setsebool -P nis_enabled on

For dovecot and postfix to work with the mail database, at the prompt
http://bubnov-pi.blogspot.com/2014/06/s … vecot.html I execute the commands

sudo semanage fcontext -a -t mail_home_rw_t "/var/vmail/vmail1(/.*)?"
sudo restorecon -v -r /var/vmail/vmail1

Since the script /usr/local/bin/fail2ban_banned_db is used, we need to add the appropriate SELinux module:

$ cat  > fail2ban_banned_db.te << EOF

module fail2ban_banned_db 1.0;

require {
    type admin_home_t;
    type hostname_exec_t;
    type mysqld_home_t;
    type mysqld_port_t;
    type fail2ban_t;
    class file { execute execute_no_trans getattr open read };
    class tcp_socket name_connect;
}

#============= fail2ban_t ==============
allow fail2ban_t admin_home_t:file { getattr open read };
allow fail2ban_t hostname_exec_t:file { execute execute_no_trans getattr open read };
allow fail2ban_t mysqld_home_t:file getattr;
allow fail2ban_t mysqld_port_t:tcp_socket name_connect;
EOF

To compile and install this module, I run:

$ bash install_module fail2ban_banned_db

where

$ cat >  install_module << EOF
#
# install_module reads some-module.te, compiles it and installs to SELinux policy.
#
# USAGE:
#       bash install_module some-module
#
[ "$(id -u)" -eq 0 ] && { printf '%s\n' "DO NOT run this as root" >&2; exit 1; }
checkmodule -m -o $1.mod $1.te
semodule_package -o $1.pp -m $1.mod
sudo semodule -i $1.pp
EOF

SELinux prevents amavisd from starting with diagnostics

Can't connect to TCP port 10026 on 127.0.0.1 [Permission denied]

To fix, I add the SELinux module (https://bugs.centos.org/view.php?id=14439)

$ cat  > selinux-amavisd-tcp.te << EOF
module selinux-amavisd-tcp 1.0;

require {
    type antivirus_t;
    type spamd_port_t;
    class tcp_socket { name_bind name_connect };
}

#============= antivirus_t ==============
allow antivirus_t spamd_port_t:tcp_socket { name_bind name_connect };
EOF

To install the module, I run

$ bash install_module selinux-amavisd-tcp

To check for SELinux errors in the audit.log you may run

ausearch -i -m AVC -ts 'date' 'time'

where 'date' and 'time' are the date and the time in your locale's format from which the check will be performed. After a week of absence of SELinux errors, I switched over SELinux to enforcing mode by replacing the line

SELINUX=permissive

in the file /etc/selinux/config with the line

SELINUX=enforcing

and running

$ sudo setenforce 1