In this final article of the ISPMail on RHEL series, we’ll focus on SELinux.
What is SELinux?
SELinux is an additional security layer that defines — at a very granular level — which processes can access which resources and what operations they’re allowed to perform.
At the beginning of our installation, we set SELinux to permissive mode.
In this mode, SELinux logs policy violations but doesn’t block any actions — useful for debugging and initial setup.
If you execute this command with your server operating:
ausearch -m avcYou’ll likely see many entries showing access violations related to files, directories, and other resources.
It’s time to fix our installation and put SELinux back in enforcing mode.
Allowing Postfix to access /etc/dovecot/mailserver.db
The file /etc/dovecot/mailserver.db contains data about domains, users and aliases; we discussed this in Part Two.
This file resides inside Dovecot’s configuration directory but needs to be readable by Postfix as well.
NOTE: We placed it under /etc/dovecot; but another suitable location could be /srv/mailserver ; adjust paths as needed; SELinux principles remain the same.
Files carry SELinux contexts. By default, mailserver.db is tagged as dovecot_etc_t, which Postfix cannot read unless allowed via a custom SELinux module.
NOTE: Postfix might complain that it needs write access to this file. However, there is no valid reason to grant it write permissions, so we’ll deny that and let it complain safely.
Create the file below with vim or nano and name it preferably ispm-mailserver_db.te.
module ispm-mailserver_db 1.0;
require {
type postfix_master_t;
type postfix_smtpd_t;
type postfix_cleanup_t;
type dovecot_etc_t;
class file { getattr lock open read };
class dir search;
}
#============= postfix_master_t ==============
allow postfix_master_t dovecot_etc_t:dir search;
allow postfix_master_t dovecot_etc_t:file { getattr lock open read };
#============= postfix_smtpd_t ==============
allow postfix_smtpd_t dovecot_etc_t:dir search;
allow postfix_smtpd_t dovecot_etc_t:file { getattr lock open read };
#============= postfix_cleanup_t ==============
allow postfix_cleanup_t dovecot_etc_t:dir search;
allow postfix_cleanup_t dovecot_etc_t:file { getattr lock open read };The module above allows the processes postfix_master_t, postfix_smtpd_t and postfix_cleanup_t to read the dovecot_etc_t files.
This module has to be compiled and installed with the following commands:
checkmodule -M -m -o ispm-mailserver_db.mod ispm-mailserver_db.te
semodule_package -o ispm-mailserver_db.pp -m ispm-mailserver_db.mod
semodule -X 300 -i ispm-mailserver_db.ppDon’t forget to restart Postfix. It should no longer complain (except about write access, which is expected and safe to ignore).
Dovecot: Spool access
In Part Four, we configured dovecot to save all the emails under /var/vmail. We need to grant Dovecot full access to this directory, including its subdirectories and files.
# semanage fcontext -a -t dovecot_spool_t "/var/vmail(/.*)?”
# restorecon -Rv /var/vmailThe following commands assign the dovecot_spool_t context and apply it.
That’s it. Don’t forget to restart dovecot.
Roundcube: apache/php-fpm sending mail
As default, the webserver and php-fpm cannot initiate a connection. However, to send email, they need this ability, so we must grant it explicitly.
setsebool -P httpd_can_sendmail 1
setsebool -P httpd_can_network_connect 1The meaning of these two commands is straightforward.
Re-enable Enforcing Mode
Once all SELinux rules are in place, it’s time to re-enable enforcing mode.
Edit /etc/selinux/config and change the line:
SELINUX=permissiveTo:
SELINUX=enforcingThen, reboot the system.
Verify the actual SELinux mode:
# getenforce
EnforcingThat’s it — you’re done! SELinux is now back in enforcing mode, and your mail server setup remains fully functional and secure.
Leave a Reply