Topic: iRedMail and SELinux
==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 1.5.1
- Deployed with iRedMail Easy or the downloadable installer? downloadable installer
- Linux/BSD distribution name and version: RockyLinux 8.5
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? No
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====
Hello, I just want to report that I was able to run iRedMail with SELinux in enforcing mode.
I haven't tested everything but I was able to create new users and send mail between them without any errors. With this setup SELinux logs were clean.
Here are the things that I had to do:
#ClamAV Antivirus
setsebool -P antivirus_can_scan_system 1
#dovecot
semanage port -a -t mail_port_t -p tcp 24242
semanage port -a -t mail_port_t -p tcp 12340
chcon -R -t mail_home_rw_t /var/vmail
semanage fcontext --add --type mail_home_rw_t --range s0 '/var/vmail(/.*)?'
#nginx
setsebool -P httpd_can_network_connect 1
#Amavis
semanage port -m -t amavisd_recv_port_t -p tcp 10027
semanage port -m -t amavisd_recv_port_t -p tcp 10026
#fail2ban (THIS IS ONLY IF YOU HAVE INSTALLED iRedMal AS root)
#create a file named my-fail2ban.te with these contents:
module my-fail2ban 1.0;
require {
type fail2ban_t;
type admin_home_t;
type mysqld_home_t;
type mysqld_port_t;
class file getattr;
class file { open read };
class tcp_socket name_connect;
}
#============= fail2ban_t ==============
allow fail2ban_t admin_home_t:file getattr;
allow fail2ban_t mysqld_home_t:file getattr;
allow fail2ban_t admin_home_t:file { open read };
allow fail2ban_t mysqld_port_t:tcp_socket name_connect;
# and then run these commands:
checkmodule -M -m -o my-fail2ban.mod my-fail2ban.te
semodule_package -o my-fail2ban.pp -m my-fail2ban.mod
semodule -i my-fail2ban.pp
That is it.
I know that it is not a good idea to install iRedMail as root user. I was just testing stuff. I will post a solution for a sudo user as well, I just need to do a little more testing. I suspect that not all the problems with SELinux and iRedMail are covered, but more testing is needed so that AVC messages can be generated and analyzed. I could even make a script. Hope this helps.
----
Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.