==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 1.5.1
- Deployed with iRedMail Easy or the downloadable installer? downloadable installer
- Linux/BSD distribution name and version: RockyLinux 8.5
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? No
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Hello, I just want to report that I was able to run iRedMail with SELinux in enforcing mode.
I haven't tested everything but I was able to create new users and send mail between them without any errors. With this setup SELinux logs were clean.
Here are the things that I had to do:

#ClamAV Antivirus
setsebool -P antivirus_can_scan_system 1

#dovecot
semanage port -a -t mail_port_t -p tcp 24242
semanage port -a -t mail_port_t -p tcp 12340
chcon -R -t mail_home_rw_t /var/vmail
semanage fcontext --add --type mail_home_rw_t --range s0 '/var/vmail(/.*)?'

#nginx
setsebool -P httpd_can_network_connect 1

#Amavis
semanage port -m -t amavisd_recv_port_t -p tcp 10027
semanage port -m -t amavisd_recv_port_t -p tcp 10026

#fail2ban (THIS IS ONLY IF YOU HAVE INSTALLED iRedMal AS root)
#create a file named my-fail2ban.te with these contents:

module my-fail2ban 1.0;

require {
        type fail2ban_t;
        type admin_home_t;
        type mysqld_home_t;
        type mysqld_port_t;
        class file getattr;
        class file { open read };
        class tcp_socket name_connect;
}

#============= fail2ban_t ==============
allow fail2ban_t admin_home_t:file getattr;
allow fail2ban_t mysqld_home_t:file getattr;
allow fail2ban_t admin_home_t:file { open read };
allow fail2ban_t mysqld_port_t:tcp_socket name_connect;

# and then run these commands:

checkmodule -M -m -o my-fail2ban.mod my-fail2ban.te
semodule_package -o my-fail2ban.pp -m my-fail2ban.mod
semodule -i my-fail2ban.pp

That is it.
I know that it is not a good idea to install iRedMail as root user. I was just testing stuff. I will post a solution for a sudo user as well, I just need to do a little more testing. I suspect that not all the problems with SELinux and iRedMail are covered, but more testing is needed so that AVC messages can be generated and analyzed. I could even make a script. Hope this helps.

alm wrote:

The list shown with 'sesearch -A -b nis_enabled' is VERY LONG indeed, if I grep dovecot it's still quite long...

If your goal is security then you should either use semanage or make a custom policy in order to fix the problems. It is way more specific and secure than nis_enabled. On the other hand if you don't care that much just use nis_enabled.

I managed to run dovecot without problems with the following setup:

semanage port -a -t mail_port_t -p tcp 24242
semanage port -a -t mail_port_t -p tcp 12340

so I'm gonna stick with it.