This post is specifically about running the iRedMail stack in a centos 6 or 7 environment, with selinux enabled. By default, iRedMail will disable selinux during the install. If you check the iRedMail forums, you’ll find folks telling you that selinux won’t work with iRedMail and there’s no attempt to educate people on how to configure selinux to allow the proper function of the iRedMail components. So I’m writing about that here.
In order to get started, you’ll need to have the setroubleshoot package installed.
yum install setroubleshoot-server
Once that’s done, you’ll want to put selinux into permissive mode by editing the /etc/selinux/config file and change the SELINUX=disabled line to SELINUX=permissive. Reboot.
Upon rebooting, you’ll need to scan the /var/log/audit/audit.log file for selinux denials.
sealert -a /var/log/audit/audit.log > alerts.log
This will output the results from the sealert auditing tool into a logfile which you can save. Scanning the file, you’ll see lines like:
grep lmtp /var/log/audit/audit.log | audit2allow -M mypol semodule -i mypol.pp
What this is doing is scanning the audit log for the keyword lmtp, piping that output to another tool called audit2allow, then using the semodule tool to install the generated policy. That’s it. You will have to do this several times, for several different services (dovecot, clamd as examples). I recommend running this setup for several days, exercising the various exposed endpoints and functions of the iRedMail installation you created. Once you can audit the log and not come up with any errors after about a week, I’d say you’re safe to change the /etc/selinux/config file so that selinux is enabled instead of in permissive mode. I recommend further security measures, but ensuring selinux is running on your VPS, VM or physical host will contribute to a secure environment.