[Compose] Added SELinux support / volume labeling (#3766)

* [Compose] Added SELinux support / volume labeling

* fix typo

docker-compose.yml

@@ -6,8 +6,8 @@ services:
       environment:
         - TZ=${TZ}
       volumes:
-        - ./data/hooks/unbound:/hooks
-        - ./data/conf/unbound/unbound.conf:/etc/unbound/unbound.conf:ro
+        - ./data/hooks/unbound:/hooks:Z
+        - ./data/conf/unbound/unbound.conf:/etc/unbound/unbound.conf:ro,Z
       restart: always
       tty: true
       networks:
@@ -22,9 +22,9 @@ services:
         - unbound-mailcow
       stop_grace_period: 45s
       volumes:
-        - mysql-vol-1:/var/lib/mysql/
-        - mysql-socket-vol-1:/var/run/mysqld/
-        - ./data/conf/mysql/:/etc/mysql/conf.d/:ro
+        - mysql-vol-1:/var/lib/mysql/:Z
+        - mysql-socket-vol-1:/var/run/mysqld/:z
+        - ./data/conf/mysql/:/etc/mysql/conf.d/:ro,Z
       environment:
         - TZ=${TZ}
         - MYSQL_ROOT_PASSWORD=${DBROOT}
@@ -43,7 +43,7 @@ services:
     redis-mailcow:
       image: redis:5-alpine
       volumes:
-        - redis-vol-1:/data/
+        - redis-vol-1:/data/:Z
       restart: always
       ports:
         - "${REDIS_PORT:-127.0.0.1:7654}:6379"
@@ -64,7 +64,7 @@ services:
         - TZ=${TZ}
         - SKIP_CLAMD=${SKIP_CLAMD:-n}
       volumes:
-        - ./data/conf/clamav/:/etc/clamav/
+        - ./data/conf/clamav/:/etc/clamav/:Z
       networks:
         mailcow-network:
           aliases:
@@ -82,15 +82,15 @@ services:
         - REDIS_SLAVEOF_IP=${REDIS_SLAVEOF_IP:-}
         - REDIS_SLAVEOF_PORT=${REDIS_SLAVEOF_PORT:-}
       volumes:
-        - ./data/hooks/rspamd:/hooks
-        - ./data/conf/rspamd/custom/:/etc/rspamd/custom
-        - ./data/conf/rspamd/override.d/:/etc/rspamd/override.d
-        - ./data/conf/rspamd/local.d/:/etc/rspamd/local.d
-        - ./data/conf/rspamd/plugins.d/:/etc/rspamd/plugins.d
-        - ./data/conf/rspamd/lua/:/etc/rspamd/lua/:ro
-        - ./data/conf/rspamd/rspamd.conf.local:/etc/rspamd/rspamd.conf.local
-        - ./data/conf/rspamd/rspamd.conf.override:/etc/rspamd/rspamd.conf.override
-        - rspamd-vol-1:/var/lib/rspamd
+        - ./data/hooks/rspamd:/hooks:Z
+        - ./data/conf/rspamd/custom/:/etc/rspamd/custom:z
+        - ./data/conf/rspamd/override.d/:/etc/rspamd/override.d:Z
+        - ./data/conf/rspamd/local.d/:/etc/rspamd/local.d:Z
+        - ./data/conf/rspamd/plugins.d/:/etc/rspamd/plugins.d:Z
+        - ./data/conf/rspamd/lua/:/etc/rspamd/lua/:ro,Z
+        - ./data/conf/rspamd/rspamd.conf.local:/etc/rspamd/rspamd.conf.local:Z
+        - ./data/conf/rspamd/rspamd.conf.override:/etc/rspamd/rspamd.conf.override:Z
+        - rspamd-vol-1:/var/lib/rspamd:z
       restart: always
       dns:
         - ${IPV4_NETWORK:-172.22.1}.254
@@ -106,22 +106,22 @@ services:
       depends_on:
         - redis-mailcow
       volumes:
-        - ./data/hooks/phpfpm:/hooks
-        - ./data/web:/web:rw
-        - ./data/conf/rspamd/dynmaps:/dynmaps:ro
-        - ./data/conf/rspamd/custom/:/rspamd_custom_maps
-        - rspamd-vol-1:/var/lib/rspamd
-        - mysql-socket-vol-1:/var/run/mysqld/
-        - ./data/conf/sogo/:/etc/sogo/
-        - ./data/conf/rspamd/meta_exporter:/meta_exporter:ro
-        - ./data/conf/phpfpm/sogo-sso/:/etc/sogo-sso/
-        - ./data/conf/phpfpm/php-fpm.d/pools.conf:/usr/local/etc/php-fpm.d/z-pools.conf
-        - ./data/conf/phpfpm/php-conf.d/opcache-recommended.ini:/usr/local/etc/php/conf.d/opcache-recommended.ini
-        - ./data/conf/phpfpm/php-conf.d/upload.ini:/usr/local/etc/php/conf.d/upload.ini
-        - ./data/conf/phpfpm/php-conf.d/other.ini:/usr/local/etc/php/conf.d/zzz-other.ini
-        - ./data/conf/dovecot/global_sieve_before:/global_sieve/before
-        - ./data/conf/dovecot/global_sieve_after:/global_sieve/after
-        - ./data/assets/templates:/tpls
+        - ./data/hooks/phpfpm:/hooks:Z
+        - ./data/web:/web:rw,z
+        - ./data/conf/rspamd/dynmaps:/dynmaps:ro,z
+        - ./data/conf/rspamd/custom/:/rspamd_custom_maps:z
+        - rspamd-vol-1:/var/lib/rspamd:z
+        - mysql-socket-vol-1:/var/run/mysqld/:z
+        - ./data/conf/sogo/:/etc/sogo/:z
+        - ./data/conf/rspamd/meta_exporter:/meta_exporter:ro,z
+        - ./data/conf/phpfpm/sogo-sso/:/etc/sogo-sso/:z
+        - ./data/conf/phpfpm/php-fpm.d/pools.conf:/usr/local/etc/php-fpm.d/z-pools.conf:Z
+        - ./data/conf/phpfpm/php-conf.d/opcache-recommended.ini:/usr/local/etc/php/conf.d/opcache-recommended.ini:Z
+        - ./data/conf/phpfpm/php-conf.d/upload.ini:/usr/local/etc/php/conf.d/upload.ini:Z
+        - ./data/conf/phpfpm/php-conf.d/other.ini:/usr/local/etc/php/conf.d/zzz-other.ini:Z
+        - ./data/conf/dovecot/global_sieve_before:/global_sieve/before:Z
+        - ./data/conf/dovecot/global_sieve_after:/global_sieve/after:Z
+        - ./data/assets/templates:/tpls:z
       dns:
         - ${IPV4_NETWORK:-172.22.1}.254
       environment:
@@ -178,12 +178,12 @@ services:
       dns:
         - ${IPV4_NETWORK:-172.22.1}.254
       volumes:
-        - ./data/conf/sogo/:/etc/sogo/
-        - ./data/web/inc/init_db.inc.php:/init_db.inc.php
-        - ./data/conf/sogo/custom-sogo.js:/usr/lib/GNUstep/SOGo/WebServerResources/js/custom-sogo.js
-        - mysql-socket-vol-1:/var/run/mysqld/
-        - sogo-web-vol-1:/sogo_web
-        - sogo-userdata-backup-vol-1:/sogo_backup
+        - ./data/conf/sogo/:/etc/sogo/:z
+        - ./data/web/inc/init_db.inc.php:/init_db.inc.php:Z
+        - ./data/conf/sogo/custom-sogo.js:/usr/lib/GNUstep/SOGo/WebServerResources/js/custom-sogo.js:Z
+        - mysql-socket-vol-1:/var/run/mysqld/:z
+        - sogo-web-vol-1:/sogo_web:z
+        - sogo-userdata-backup-vol-1:/sogo_backup:Z
       restart: always
       networks:
         mailcow-network:
@@ -200,18 +200,18 @@ services:
       cap_add:
         - NET_BIND_SERVICE
       volumes:
-        - ./data/hooks/dovecot:/hooks
-        - ./data/conf/dovecot:/etc/dovecot
-        - ./data/assets/ssl:/etc/ssl/mail/:ro
-        - ./data/conf/sogo/:/etc/sogo/
-        - ./data/conf/phpfpm/sogo-sso/:/etc/phpfpm/
-        - vmail-vol-1:/var/vmail
-        - vmail-index-vol-1:/var/vmail_index
-        - crypt-vol-1:/mail_crypt/
-        - ./data/conf/rspamd/custom/:/etc/rspamd/custom
-        - ./data/assets/templates:/templates
-        - rspamd-vol-1:/var/lib/rspamd
-        - mysql-socket-vol-1:/var/run/mysqld/
+        - ./data/hooks/dovecot:/hooks:Z
+        - ./data/conf/dovecot:/etc/dovecot:z
+        - ./data/assets/ssl:/etc/ssl/mail/:ro,z
+        - ./data/conf/sogo/:/etc/sogo/:z
+        - ./data/conf/phpfpm/sogo-sso/:/etc/phpfpm/:z
+        - vmail-vol-1:/var/vmail:Z
+        - vmail-index-vol-1:/var/vmail_index:Z
+        - crypt-vol-1:/mail_crypt/:z
+        - ./data/conf/rspamd/custom/:/etc/rspamd/custom:z
+        - ./data/assets/templates:/templates:z
+        - rspamd-vol-1:/var/lib/rspamd:z
+        - mysql-socket-vol-1:/var/run/mysqld/:z
       environment:
         - LOG_LINES=${LOG_LINES:-9999}
         - DBNAME=${DBNAME}
@@ -255,13 +255,13 @@ services:
       depends_on:
         - mysql-mailcow
       volumes:
-        - ./data/hooks/postfix:/hooks
-        - ./data/conf/postfix:/opt/postfix/conf
-        - ./data/assets/ssl:/etc/ssl/mail/:ro
-        - postfix-vol-1:/var/spool/postfix
-        - crypt-vol-1:/var/lib/zeyple
-        - rspamd-vol-1:/var/lib/rspamd
-        - mysql-socket-vol-1:/var/run/mysqld/
+        - ./data/hooks/postfix:/hooks:Z
+        - ./data/conf/postfix:/opt/postfix/conf:z
+        - ./data/assets/ssl:/etc/ssl/mail/:ro,z
+        - postfix-vol-1:/var/spool/postfix:z
+        - crypt-vol-1:/var/lib/zeyple:z
+        - rspamd-vol-1:/var/lib/rspamd:z
+        - mysql-socket-vol-1:/var/run/mysqld/:z
       environment:
         - LOG_LINES=${LOG_LINES:-9999}
         - TZ=${TZ}
@@ -325,12 +325,12 @@ services:
         - SKIP_SOGO=${SKIP_SOGO:-n}
         - ALLOW_ADMIN_EMAIL_LOGIN=${ALLOW_ADMIN_EMAIL_LOGIN:-n}
       volumes:
-        - ./data/web:/web:ro
-        - ./data/conf/rspamd/dynmaps:/dynmaps:ro
-        - ./data/assets/ssl/:/etc/ssl/mail/:ro
-        - ./data/conf/nginx/:/etc/nginx/conf.d/:rw
-        - ./data/conf/rspamd/meta_exporter:/meta_exporter:ro
-        - sogo-web-vol-1:/usr/lib/GNUstep/SOGo/
+        - ./data/web:/web:ro,z
+        - ./data/conf/rspamd/dynmaps:/dynmaps:ro,z
+        - ./data/assets/ssl/:/etc/ssl/mail/:ro,z
+        - ./data/conf/nginx/:/etc/nginx/conf.d/:rw,Z
+        - ./data/conf/rspamd/meta_exporter:/meta_exporter:ro,z
+        - sogo-web-vol-1:/usr/lib/GNUstep/SOGo/:z
       ports:
         - "${HTTPS_BIND:-0.0.0.0}:${HTTPS_PORT:-443}:${HTTPS_PORT:-443}"
         - "${HTTP_BIND:-0.0.0.0}:${HTTP_PORT:-80}:${HTTP_PORT:-80}"
@@ -367,10 +367,10 @@ services:
         - SNAT_TO_SOURCE=${SNAT_TO_SOURCE:-n}
         - SNAT6_TO_SOURCE=${SNAT6_TO_SOURCE:-n}
       volumes:
-        - ./data/web/.well-known/acme-challenge:/var/www/acme:rw
-        - ./data/assets/ssl:/var/lib/acme/:rw
-        - ./data/assets/ssl-example:/var/lib/ssl-example/:ro
-        - mysql-socket-vol-1:/var/run/mysqld/
+        - ./data/web/.well-known/acme-challenge:/var/www/acme:rw,Z
+        - ./data/assets/ssl:/var/lib/acme/:rw,z
+        - ./data/assets/ssl-example:/var/lib/ssl-example/:ro,Z
+        - mysql-socket-vol-1:/var/run/mysqld/:z
       restart: always
       networks:
         mailcow-network:
@@ -407,10 +407,10 @@ services:
       dns:
         - ${IPV4_NETWORK:-172.22.1}.254
       volumes:
-        - rspamd-vol-1:/var/lib/rspamd
-        - mysql-socket-vol-1:/var/run/mysqld/
-        - postfix-vol-1:/var/spool/postfix
-        - ./data/assets/ssl:/etc/ssl/mail/:ro
+        - rspamd-vol-1:/var/lib/rspamd:z
+        - mysql-socket-vol-1:/var/run/mysqld/:z
+        - postfix-vol-1:/var/spool/postfix:z
+        - ./data/assets/ssl:/etc/ssl/mail/:ro,z
       restart: always
       environment:
         - IPV6_NETWORK=${IPV6_NETWORK:-fd4d:6169:6c63:6f77::/64}
@@ -463,6 +463,8 @@ services:
 
     dockerapi-mailcow:
       image: mailcow/dockerapi:1.37
+      security_opt:
+        - label=disable
       restart: always
       oom_kill_disable: true
       dns:
@@ -481,7 +483,7 @@ services:
       image: mailcow/solr:1.7
       restart: always
       volumes:
-        - solr-vol-1:/opt/solr/server/solr/dovecot-fts/data
+        - solr-vol-1:/opt/solr/server/solr/dovecot-fts/data:Z
       ports:
         - "${SOLR_PORT:-127.0.0.1:18983}:8983"
       environment:
@@ -532,6 +534,8 @@ services:
       environment:
         - TZ=${TZ}
       image: robbertkl/ipv6nat
+      security_opt:
+        - label=disable
       restart: always
       privileged: true
       network_mode: "host"