1

Topic: iRedMail and SELinux

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 1.5.1
- Deployed with iRedMail Easy or the downloadable installer? downloadable installer
- Linux/BSD distribution name and version: RockyLinux 8.5
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? No
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Hello, I just want to report that I was able to run iRedMail with SELinux in enforcing mode.
I haven't tested everything but I was able to create new users and send mail between them without any errors. With this setup SELinux logs were clean.
Here are the things that I had to do:

#ClamAV Antivirus
setsebool -P antivirus_can_scan_system 1

#dovecot
semanage port -a -t mail_port_t -p tcp 24242
semanage port -a -t mail_port_t -p tcp 12340
chcon -R -t mail_home_rw_t /var/vmail
semanage fcontext --add --type mail_home_rw_t --range s0 '/var/vmail(/.*)?'

#nginx
setsebool -P httpd_can_network_connect 1

#Amavis
semanage port -m -t amavisd_recv_port_t -p tcp 10027
semanage port -m -t amavisd_recv_port_t -p tcp 10026

#fail2ban (THIS IS ONLY IF YOU HAVE INSTALLED iRedMal AS root)
#create a file named my-fail2ban.te with these contents:

module my-fail2ban 1.0;

require {
        type fail2ban_t;
        type admin_home_t;
        type mysqld_home_t;
        type mysqld_port_t;
        class file getattr;
        class file { open read };
        class tcp_socket name_connect;
}

#============= fail2ban_t ==============
allow fail2ban_t admin_home_t:file getattr;
allow fail2ban_t mysqld_home_t:file getattr;
allow fail2ban_t admin_home_t:file { open read };
allow fail2ban_t mysqld_port_t:tcp_socket name_connect;

# and then run these commands:

checkmodule -M -m -o my-fail2ban.mod my-fail2ban.te
semodule_package -o my-fail2ban.pp -m my-fail2ban.mod
semodule -i my-fail2ban.pp


That is it.
I know that it is not a good idea to install iRedMail as root user. I was just testing stuff. I will post a solution for a sudo user as well, I just need to do a little more testing. I suspect that not all the problems with SELinux and iRedMail are covered, but more testing is needed so that AVC messages can be generated and analyzed. I could even make a script. Hope this helps.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: iRedMail and SELinux

Here is the script:

https://github.com/dethwalker/iredmail-selinux.git

Cheers!

3

Re: iRedMail and SELinux

Just found a SELinux problem. SELinux is preventing logrotate to rotate netdata's log (it is a daily cron job). Here is the fix:

chcon -R -t var_log_t /opt/netdata/var/log/netdata
semanage fcontext -a -t var_log_t "/opt/netdata/var/log/netdata(/.*)?"

I'll add it to the script on GitHub in a second.

4

Re: iRedMail and SELinux

Hi, very helpful information. I was busy with audit2allow to catch the policy items needed to make SELINUX work in enforcing mode. I've not been busy with configuration of SELINUX before and was already happy that audit2allow makes it easier, but it's quite time-consuming even in that way because you won't catch what does not happen, but it will cause failures later when enforcing is on.

I'm just wondering about the /var/vmail subfolders, because they are not all used by dovecot, AFAIK. It seems only public, sieve and vmail1 folder should be accessible by dovecot, is that right?
There's also the backup folder, mlmmj and mlmmj-archive folder for which I wonder what the correct fcontext should be. If dovecot doesn't need it I don't want it to be able to access it.

I will check tomorrow what 'ausearch -m avc' and 'audit2allow -w -i /var/log/audit/audit.log' make of it now that I applied the fcontext to /var/mail, /var/vmail/vmail1, /var/vmail/public and /var/vmail/sieve but not the others.

5

Re: iRedMail and SELinux

alm wrote:

Hi, very helpful information. I was busy with audit2allow to catch the policy items needed to make SELINUX work in enforcing mode. I've not been busy with configuration of SELINUX before and was already happy that audit2allow makes it easier, but it's quite time-consuming even in that way because you won't catch what does not happen, but it will cause failures later when enforcing is on.

I'm just wondering about the /var/vmail subfolders, because they are not all used by dovecot, AFAIK. It seems only public, sieve and vmail1 folder should be accessible by dovecot, is that right?
There's also the backup folder, mlmmj and mlmmj-archive folder for which I wonder what the correct fcontext should be. If dovecot doesn't need it I don't want it to be able to access it.

I will check tomorrow what 'ausearch -m avc' and 'audit2allow -w -i /var/log/audit/audit.log' make of it now that I applied the fcontext to /var/mail, /var/vmail/vmail1, /var/vmail/public and /var/vmail/sieve but not the others.

Hmm good point. Please let me know happened.

Btw I was just testing connections with IMAP, IMAPS, POP3 and POP3S. I was able to send mail around local users so no problem. Roundcube webclient is also working correctly. SELinux logs are clean and no AVCs.

6

Re: iRedMail and SELinux

Thanks alm for pointing this out. I just tested this. The fcontext for dovecot mail dir should be more specific:

semanage fcontext --add --type mail_home_rw_t --range s0 '/var/vmail/vmail1(/.*)?'
semanage fcontext --add --type mail_home_rw_t --range s0 '/var/vmail/sieve(/.*)?'
semanage fcontext --add --type mail_home_rw_t --range s0 '/var/vmail/public(/.*)?'
restorecon -vR /var/vmail

instead of

chcon -R -t mail_home_rw_t /var/vmail
semanage fcontext --add --type mail_home_rw_t --range s0 '/var/vmail(/.*)?'

There is no need to change the whole /var/vmail directory fcontext.
I will add this to the script on GitHub.
As for the other directories, I am waiting for something to complain about them so I can track the cause and change the fcontext if needed. If nothing complains then I think they should be left untouched.

7

Re: iRedMail and SELinux

It's now like this, just for being complete:

[root@mail vmail]# ls -alZ
total 4
drwxr-xr-x.  9 root  root  system_u:object_r:mail_home_rw_t:s0      111 Jan 21 13:21 .
drwxr-xr-x. 22 root  root  system_u:object_r:var_t:s0              4096 Jan 21 13:19 ..
drwx------.  3 root  root  unconfined_u:object_r:unlabeled_t:s0      42 Jan 22 03:30 backup
drwx------.  2 mlmmj mlmmj system_u:object_r:var_t:s0                62 Jan 21 13:20 mlmmj
drwx------.  2 mlmmj mlmmj unconfined_u:object_r:unlabeled_t:s0       6 Jan 21 13:21 mlmmj-archive
drwx------.  2 nginx nginx unconfined_u:object_r:unlabeled_t:s0       6 Jan 21 13:21 pgp-keys
drwx------.  2 vmail vmail unconfined_u:object_r:mail_home_rw_t:s0    6 Jan 21 13:20 public
drwx------.  2 vmail vmail unconfined_u:object_r:mail_home_rw_t:s0   48 Jan 21 13:26 sieve
drwx------.  3 vmail vmail unconfined_u:object_r:mail_home_rw_t:s0   37 Jan 21 13:20 vmail1
[root@mail vmail]#

No failures in audit.log can be seen with ausearch -m avc or with audit2allow.

Still wondering what the correct fcontext should be for the folders which have a fcontext of unlabeled_t though.

I'm also not sure about the unconfined_u that is shown above. All folders in /var have system_u so perhaps that should also be system_u?

8

Re: iRedMail and SELinux

alm wrote:

Still wondering what the correct fcontext should be for the folders which have a fcontext of unlabeled_t though.

I'm also not sure about the unconfined_u that is shown above. All folders in /var have system_u so perhaps that should also be system_u?

Here is the original fcontext for the other folders in /var/vmail:

drwxr-xr-x.  9 root  root  unconfined_u:object_r:var_t:s0           111 Feb 10 10:34 .
drwxr-xr-x. 23 root  root  system_u:object_r:var_t:s0              4096 Feb 10 10:33 ..
drwx------.  2 root  root  unconfined_u:object_r:var_t:s0            29 Feb 10 10:34 backup
drwx------.  4 mlmmj mlmmj system_u:object_r:var_t:s0               110 Feb 10 12:10 mlmmj
drwx------.  2 mlmmj mlmmj unconfined_u:object_r:var_t:s0             6 Feb 10 10:34 mlmmj-archive
drwx------.  2 nginx nginx unconfined_u:object_r:var_t:s0             6 Feb 10 10:34 pgp-keys
drwx------.  2 vmail vmail unconfined_u:object_r:mail_home_rw_t:s0    6 Feb 10 10:33 public
drwx------.  2 vmail vmail unconfined_u:object_r:mail_home_rw_t:s0   48 Feb 10 11:13 sieve
drwx------.  3 vmail vmail unconfined_u:object_r:mail_home_rw_t:s0   28 Feb 10 10:33 vmail1

They seem to be var_t

As for the unconfined_u, if everything else in /var is system_u then probably these should be system_u as well. I am not sure though so I will try changing them to system_u and see if something breaks.

9 (edited by thedethwalker 2022-02-10 19:23:43)

Re: iRedMail and SELinux

Ok so I tested changing everything in /var/vmail to system_u and everything is alright. But to be honest if you are running in the default "targeted" mode then the user part is skipped so there is no need for it to be changed. In "targeted" mode all users are unconfined and only System processes are confined, so only the "type" is important since all processes are tested against it. If you leave everything to unconfined_u it won't make a difference.

10

Re: iRedMail and SELinux

thedethwalker wrote:

Here is the original fcontext for the other folders in /var/vmail:

drwxr-xr-x.  9 root  root  unconfined_u:object_r:var_t:s0           111 Feb 10 10:34 .
drwxr-xr-x. 23 root  root  system_u:object_r:var_t:s0              4096 Feb 10 10:33 ..
drwx------.  2 root  root  unconfined_u:object_r:var_t:s0            29 Feb 10 10:34 backup
drwx------.  4 mlmmj mlmmj system_u:object_r:var_t:s0               110 Feb 10 12:10 mlmmj
drwx------.  2 mlmmj mlmmj unconfined_u:object_r:var_t:s0             6 Feb 10 10:34 mlmmj-archive
drwx------.  2 nginx nginx unconfined_u:object_r:var_t:s0             6 Feb 10 10:34 pgp-keys
drwx------.  2 vmail vmail unconfined_u:object_r:mail_home_rw_t:s0    6 Feb 10 10:33 public
drwx------.  2 vmail vmail unconfined_u:object_r:mail_home_rw_t:s0   48 Feb 10 11:13 sieve
drwx------.  3 vmail vmail unconfined_u:object_r:mail_home_rw_t:s0   28 Feb 10 10:33 vmail1

They seem to be var_t

Uh, strange that they changed to unlabeled_t then in my case. But it makes sense to have them as var_t as you showed. Will change accordingly.

Thanks for explaining the targeted mode, then I don't need to worry about that.

11

Re: iRedMail and SELinux

alm wrote:

Uh, strange that they changed to unlabeled_t then in my case. But it makes sense to have them as var_t as you showed. Will change accordingly.

Actually it is not strange, they haven't changed if you haven't touched them. It is just that when I used "restorecon -vR /var/vmail" it automatically relabeled them to var_t because I used it on the whole vmail folder. What I have posted there aren't the original so please excuse me for that, my mistake. But to be honest they should be var_t.

12

Re: iRedMail and SELinux

It makes sense to have those other folders labeled as var_t. So far nothing else popped up during my tests. To be continued. smile

13

Re: iRedMail and SELinux

Thanks for sharing.  smile

14

Re: iRedMail and SELinux

I have the following booleans set:
setsebool -P antivirus_can_scan_system 1
setsebool -P httpd_can_network_connect 1
setsebool -P httpd_can_network_connect_db 1
setsebool -P httpd_can_sendmail 1
setsebool -P nis_enabled 1

I tried with nis_enabled as 0 (default), but then I ran into issues when restarting dovecot.

I don't seem to need the following commands:
#dovecot
semanage port -a -t mail_port_t -p tcp 24242
semanage port -a -t mail_port_t -p tcp 12340

#Amavis
semanage port -m -t amavisd_recv_port_t -p tcp 10027
semanage port -m -t amavisd_recv_port_t -p tcp 10026

These amavis ports are already linked to spamd_port_t (I did not add them myself).

15

Re: iRedMail and SELinux

alm wrote:

I have the following booleans set:
setsebool -P antivirus_can_scan_system 1
setsebool -P httpd_can_network_connect 1
setsebool -P httpd_can_network_connect_db 1
setsebool -P httpd_can_sendmail 1
setsebool -P nis_enabled 1

I tried with nis_enabled as 0 (default), but then I ran into issues when restarting dovecot.

I don't seem to need the following commands:
#dovecot
semanage port -a -t mail_port_t -p tcp 24242
semanage port -a -t mail_port_t -p tcp 12340

#Amavis
semanage port -m -t amavisd_recv_port_t -p tcp 10027
semanage port -m -t amavisd_recv_port_t -p tcp 10026

These amavis ports are already linked to spamd_port_t (I did not add them myself).


Interesting. I guess I'll have to make a new install and try out your config. BTW what distro are you using? Something tells me different distros have different defaults set.

16

Re: iRedMail and SELinux

My distro is Oracle Linux 8.5.

I found the booleans with: audit2allow -w -i /var/log/audit/audit.log

I set the booleans according to that, but ports 24242 and 12340 were not linked when looking at "semanage port --list". Do you remember in which case you saw those ports being used?

17

Re: iRedMail and SELinux

alm wrote:

My distro is Oracle Linux 8.5.

I found the booleans with: audit2allow -w -i /var/log/audit/audit.log

I set the booleans according to that, but ports 24242 and 12340 were not linked when looking at "semanage port --list". Do you remember in which case you saw those ports being used?

I use usually use audit2allow as a last resort in order to make custom policy. You can also use "journalctl -t setroubleshoot" and "sealert" (the "journalctl..." command tells you which "sealert" command to use for more details). There I saw that SELinux was blocking dovecot from using ports 24242 and 12340. The commands

semanage port -a -t mail_port_t -p tcp 24242
semanage port -a -t mail_port_t -p tcp 12340

were actually suggested by "sealert".I think it also suggested using the nis_enabled boolean but with lower confidence that is why I decided to be more specific.

Be in mind that sealert, ausearch and audit.log don't always show everything. In case of the amavisd there were no problems in those logs but Amavis was failing to start since it could not bind 10026 and 10027 (these were errors in Amavis logs). After a little research I found out that Amavis was using it's own spamassassin instance and not the usual spamd daemon. After a little more research into iRedMail's config files I found out that 10026 and 10027 were used by Amavis to recieve mail from postfix for scanning. So using the following commands fixed the issue:

semanage port -m -t amavisd_recv_port_t -p tcp 10027
semanage port -m -t amavisd_recv_port_t -p tcp 10026

I also have spamd_port_t linked to 10026 and 10027 by default. However the problem was that Amavis wasn't using the usual spamd daemon and that is why SELinux was blocking it. Make sure you restart Amavis to check if it is starting correctly.

18

Re: iRedMail and SELinux

audit2allow -w -i /var/log/audit/audit.log does not create a policy, it only shows what is in the audit log and makes it more understandable. You can make a policy with it, that's correct, but not how I used it.

I don't have setroubleshoot installed, and that's what provides sealert, so I did not use that.

I did restart amavisd and no issues were shown with journalctl -xe, so I guess there's no issue for me at this moment.

PS. If you want to try with Oracle Linux 8.5, know that it's a free download without any registration (https://yum.oracle.com/oracle-linux-isos.html). Updates are free as well.

19

Re: iRedMail and SELinux

alm wrote:

PS. If you want to try with Oracle Linux 8.5, know that it's a free download without any registration (https://yum.oracle.com/oracle-linux-isos.html). Updates are free as well.

I would guess you did some trick in order to bypass the missing perl package?

20

Re: iRedMail and SELinux

thedethwalker wrote:
alm wrote:

PS. If you want to try with Oracle Linux 8.5, know that it's a free download without any registration (https://yum.oracle.com/oracle-linux-isos.html). Updates are free as well.

I would guess you did some trick in order to bypass the missing perl package?

You might need to enable the ol8_codeready_builder and ol8_appstream repo's.

dnf config-manager --set-enabled ol8_codeready_builder
dnf config-manager --set-enabled ol8_appstream

Perl comes from the appstream repo.

21

Re: iRedMail and SELinux

I just tested your config. All is working fine. I guess the Amavis problem is only on RockyLinux. The "nis_enabled 1" takes care of ports 24242 and 12340 for dovecot. I just have two questions about this part:

setsebool -P httpd_can_network_connect_db 1
setsebool -P httpd_can_sendmail 1

Did you have problems with nginx connecting to local mysql or are you using external mysql server?
Could you do a "getsebool -a | grep postfix" and tell me the status of your "postfix_local_write_mail_spool" Boolean?

22

Re: iRedMail and SELinux

Did you have problems with nginx connecting to local mysql or are you using external mysql server?
Could you do a "getsebool -a | grep postfix" and tell me the status of your "postfix_local_write_mail_spool" Boolean?

The database is local on the same system, not remote. I did not set the postfix boolean which you mentioned and I don't know the current value. Will check, but that will have to wait till this evening.

Everything I found myself was with the 'audit2allow -w -i /var/log/audit/audit.log' command which showed me the required booleans as I mentioned.

23

Re: iRedMail and SELinux

thedethwalker wrote:

Could you do a "getsebool -a | grep postfix" and tell me the status of your "postfix_local_write_mail_spool" Boolean?

The boolean shows as on. Was/is it on in your case as well?

24

Re: iRedMail and SELinux

alm wrote:

The boolean shows as on. Was/is it on in your case as well?

It is on in my case as well. I was searching around the net for more info around httpd_can_sendmail and I came across this link . I guess this is not the case.

I am just wondering what makes httpd_can_sendmail and httpd_can_network_connect_db be required. I still don't have these show up as a suggestion from audit2allow or sealert. I guess I just need to do more testing.

BTW you can check what each SELinux boolean does with "sesearch -A -b <bool name>" (you'll need "setools-console" package). If you use this on nis_enabled you may be surprised because it allows a lot of stuff which is not very secure. I'll disable it and play around with semanage to see if I can make dovecot work.

25

Re: iRedMail and SELinux

thedethwalker wrote:

I am just wondering what makes httpd_can_sendmail and httpd_can_network_connect_db be required. I still don't have these show up as a suggestion from audit2allow or sealert. I guess I just need to do more testing.

Did you try to send e-mail using Roundcube already?

thedethwalker wrote:

BTW you can check what each SELinux boolean does with "sesearch -A -b <bool name>" (you'll need "setools-console" package). If you use this on nis_enabled you may be surprised because it allows a lot of stuff which is not very secure. I'll disable it and play around with semanage to see if I can make dovecot work.

Will check that out also. I had nis_enabled disabled for a while, but it came back when I restarted dovecot as a suggestion from audit2allow. It did not show when I did a reboot, which is kind of strange...

Thanks for the info!