Topic: iRedMail and SELinux
==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 1.6.1
- Deployed with iRedMail Easy or the downloadable installer? downloadable installer
- Linux/BSD distribution name and version: Rocky Linux 8.6
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): LDAP
- Web server (Apache or Nginx): nginx
- Manage mail accounts with iRedAdmin-Pro? No
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====
iRedMail is installed with disabled SELinux. But enabling SELinux increases security of the mail server. That is why I enable SELinux after iRedMail installation. I'll show how I do it. Maybe someone will find it useful for himself.
I use the following configuration: Rocky Linux 8.6 x86_64, mail accounts are stored in LDAP, the web server is nginx, mlmmj and netdata are not used. If you have a different configuration, your mileage may vary.
First of all I switch SELinux over to permissive mode. It can be done by replacing the line
SELINUX=disabledwith the line
SELINUX=permissivein /etc/selinux/config and rebooting. Now SELinux is still not forced, but one may see SELinux errors in /etc/audit/audit.log as if it were forced. After that I set
sudo setsebool -P antivirus_can_scan_system on
sudo setsebool -P domain_can_mmap_files on
sudo setsebool -P nis_enabled onFor dovecot and postfix to work with the mail database, at the prompt
http://bubnov-pi.blogspot.com/2014/06/s … vecot.html I execute the commands
sudo semanage fcontext -a -t mail_home_rw_t "/var/vmail/vmail1(/.*)?"
sudo restorecon -v -r /var/vmail/vmail1Since the script /usr/local/bin/fail2ban_banned_db is used, we need to add the appropriate SELinux module:
$ cat > fail2ban_banned_db.te << EOF
module fail2ban_banned_db 1.0;
require {
type admin_home_t;
type hostname_exec_t;
type mysqld_home_t;
type mysqld_port_t;
type fail2ban_t;
class file { execute execute_no_trans getattr open read };
class tcp_socket name_connect;
}
#============= fail2ban_t ==============
allow fail2ban_t admin_home_t:file { getattr open read };
allow fail2ban_t hostname_exec_t:file { execute execute_no_trans getattr open read };
allow fail2ban_t mysqld_home_t:file getattr;
allow fail2ban_t mysqld_port_t:tcp_socket name_connect;
EOFTo compile and install this module, I run:
$ bash install_module fail2ban_banned_dbwhere
$ cat > install_module << EOF
#
# install_module reads some-module.te, compiles it and installs to SELinux policy.
#
# USAGE:
# bash install_module some-module
#
[ "$(id -u)" -eq 0 ] && { printf '%s\n' "DO NOT run this as root" >&2; exit 1; }
checkmodule -m -o $1.mod $1.te
semodule_package -o $1.pp -m $1.mod
sudo semodule -i $1.pp
EOFSELinux prevents amavisd from starting with diagnostics
Can't connect to TCP port 10026 on 127.0.0.1 [Permission denied]To fix, I add the SELinux module (https://bugs.centos.org/view.php?id=14439)
$ cat > selinux-amavisd-tcp.te << EOF
module selinux-amavisd-tcp 1.0;
require {
type antivirus_t;
type spamd_port_t;
class tcp_socket { name_bind name_connect };
}
#============= antivirus_t ==============
allow antivirus_t spamd_port_t:tcp_socket { name_bind name_connect };
EOFTo install the module, I run
$ bash install_module selinux-amavisd-tcpTo check for SELinux errors in the audit.log you may run
ausearch -i -m AVC -ts 'date' 'time'where 'date' and 'time' are the date and the time in your locale's format from which the check will be performed. After a week of absence of SELinux errors, I switched over SELinux to enforcing mode by replacing the line
SELINUX=permissivein the file /etc/selinux/config with the line
SELINUX=enforcingand running
$ sudo setenforce 1----
Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.