7x31
/
mailcow-dockerized
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Disable security labels within the container on rootless SELinux enabled hosts

This commit is contained in:
Roy Lenferink 2023-01-08 11:55:48 +01:00
parent a76e6b32f7
commit a5eb7a1046
1 changed files with 84 additions and 52 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

136
docker-compose.yml
View File

@ -6,8 +6,10 @@ services:
environment: environment:
- TZ=${TZ} - TZ=${TZ}
volumes: volumes:
- ./data/hooks/unbound:/hooks:Z - ./data/hooks/unbound:/hooks
- ./data/conf/unbound/unbound.conf:/etc/unbound/unbound.conf:ro,Z - ./data/conf/unbound/unbound.conf:/etc/unbound/unbound.conf:ro
security_opt:
- label=disable
restart: always restart: always
tty: true tty: true
networks: networks:
@ -24,7 +26,9 @@ services:
volumes: volumes:
- mysql-vol-1:/var/lib/mysql/ - mysql-vol-1:/var/lib/mysql/
- mysql-socket-vol-1:/var/run/mysqld/ - mysql-socket-vol-1:/var/run/mysqld/
- ./data/conf/mysql/:/etc/mysql/conf.d/:ro,Z - ./data/conf/mysql/:/etc/mysql/conf.d/:ro
security_opt:
- label=disable
environment: environment:
- TZ=${TZ} - TZ=${TZ}
- MYSQL_ROOT_PASSWORD=${DBROOT} - MYSQL_ROOT_PASSWORD=${DBROOT}
@ -44,6 +48,8 @@ services:
image: redis:7-alpine image: redis:7-alpine
volumes: volumes:
- redis-vol-1:/data/ - redis-vol-1:/data/
security_opt:
- label=disable
restart: always restart: always
ports: ports:
- "${REDIS_PORT:-127.0.0.1:7654}:6379" - "${REDIS_PORT:-127.0.0.1:7654}:6379"
@ -68,8 +74,10 @@ services:
- TZ=${TZ} - TZ=${TZ}
- SKIP_CLAMD=${SKIP_CLAMD:-n} - SKIP_CLAMD=${SKIP_CLAMD:-n}
volumes: volumes:
- ./data/conf/clamav/:/etc/clamav/:Z - ./data/conf/clamav/:/etc/clamav/
- clamd-db-vol-1:/var/lib/clamav - clamd-db-vol-1:/var/lib/clamav
security_opt:
- label=disable
networks: networks:
mailcow-network: mailcow-network:
aliases: aliases:
@ -87,15 +95,17 @@ services:
- REDIS_SLAVEOF_IP=${REDIS_SLAVEOF_IP:-} - REDIS_SLAVEOF_IP=${REDIS_SLAVEOF_IP:-}
- REDIS_SLAVEOF_PORT=${REDIS_SLAVEOF_PORT:-} - REDIS_SLAVEOF_PORT=${REDIS_SLAVEOF_PORT:-}
volumes: volumes:
- ./data/hooks/rspamd:/hooks:Z - ./data/hooks/rspamd:/hooks
- ./data/conf/rspamd/custom/:/etc/rspamd/custom:z - ./data/conf/rspamd/custom/:/etc/rspamd/custom
- ./data/conf/rspamd/override.d/:/etc/rspamd/override.d:Z - ./data/conf/rspamd/override.d/:/etc/rspamd/override.d
- ./data/conf/rspamd/local.d/:/etc/rspamd/local.d:Z - ./data/conf/rspamd/local.d/:/etc/rspamd/local.d
- ./data/conf/rspamd/plugins.d/:/etc/rspamd/plugins.d:Z - ./data/conf/rspamd/plugins.d/:/etc/rspamd/plugins.d
- ./data/conf/rspamd/lua/:/etc/rspamd/lua/:ro,Z - ./data/conf/rspamd/lua/:/etc/rspamd/lua/:ro
- ./data/conf/rspamd/rspamd.conf.local:/etc/rspamd/rspamd.conf.local:Z - ./data/conf/rspamd/rspamd.conf.local:/etc/rspamd/rspamd.conf.local
- ./data/conf/rspamd/rspamd.conf.override:/etc/rspamd/rspamd.conf.override:Z - ./data/conf/rspamd/rspamd.conf.override:/etc/rspamd/rspamd.conf.override
- rspamd-vol-1:/var/lib/rspamd - rspamd-vol-1:/var/lib/rspamd
security_opt:
- label=disable
restart: always restart: always
hostname: rspamd hostname: rspamd
dns: dns:
@ -111,23 +121,25 @@ services:
depends_on: depends_on:
- redis-mailcow - redis-mailcow
volumes: volumes:
- ./data/hooks/phpfpm:/hooks:Z - ./data/hooks/phpfpm:/hooks
- ./data/web:/web:z - ./data/web:/web
- ./data/conf/rspamd/dynmaps:/dynmaps:ro,z - ./data/conf/rspamd/dynmaps:/dynmaps:ro
- ./data/conf/rspamd/custom/:/rspamd_custom_maps:z - ./data/conf/rspamd/custom/:/rspamd_custom_maps
- rspamd-vol-1:/var/lib/rspamd - rspamd-vol-1:/var/lib/rspamd
- mysql-socket-vol-1:/var/run/mysqld/ - mysql-socket-vol-1:/var/run/mysqld/
- ./data/conf/sogo/:/etc/sogo/:z - ./data/conf/sogo/:/etc/sogo/
- ./data/conf/rspamd/meta_exporter:/meta_exporter:ro,z - ./data/conf/rspamd/meta_exporter:/meta_exporter:ro
- ./data/conf/phpfpm/sogo-sso/:/etc/sogo-sso/:z - ./data/conf/phpfpm/sogo-sso/:/etc/sogo-sso/
- ./data/conf/phpfpm/php-fpm.d/pools.conf:/usr/local/etc/php-fpm.d/z-pools.conf:Z - ./data/conf/phpfpm/php-fpm.d/pools.conf:/usr/local/etc/php-fpm.d/z-pools.conf
- ./data/conf/phpfpm/php-conf.d/opcache-recommended.ini:/usr/local/etc/php/conf.d/opcache-recommended.ini:Z - ./data/conf/phpfpm/php-conf.d/opcache-recommended.ini:/usr/local/etc/php/conf.d/opcache-recommended.ini
- ./data/conf/phpfpm/php-conf.d/upload.ini:/usr/local/etc/php/conf.d/upload.ini:Z - ./data/conf/phpfpm/php-conf.d/upload.ini:/usr/local/etc/php/conf.d/upload.ini
- ./data/conf/phpfpm/php-conf.d/other.ini:/usr/local/etc/php/conf.d/zzz-other.ini:Z - ./data/conf/phpfpm/php-conf.d/other.ini:/usr/local/etc/php/conf.d/zzz-other.ini
- ./data/conf/dovecot/global_sieve_before:/global_sieve/before:z - ./data/conf/dovecot/global_sieve_before:/global_sieve/before
- ./data/conf/dovecot/global_sieve_after:/global_sieve/after:z - ./data/conf/dovecot/global_sieve_after:/global_sieve/after
- ./data/assets/templates:/tpls:z - ./data/assets/templates:/tpls
- ./data/conf/nginx/:/etc/nginx/conf.d/:z - ./data/conf/nginx/:/etc/nginx/conf.d/
security_opt:
- label=disable
dns: dns:
- ${IPV4_NETWORK:-172.22.1}.254 - ${IPV4_NETWORK:-172.22.1}.254
environment: environment:
@ -189,15 +201,17 @@ services:
dns: dns:
- ${IPV4_NETWORK:-172.22.1}.254 - ${IPV4_NETWORK:-172.22.1}.254
volumes: volumes:
- ./data/hooks/sogo:/hooks:Z - ./data/hooks/sogo:/hooks
- ./data/conf/sogo/:/etc/sogo/:z - ./data/conf/sogo/:/etc/sogo/
- ./data/web/inc/init_db.inc.php:/init_db.inc.php:Z - ./data/web/inc/init_db.inc.php:/init_db.inc.php
- ./data/conf/sogo/custom-favicon.ico:/usr/lib/GNUstep/SOGo/WebServerResources/img/sogo.ico:z - ./data/conf/sogo/custom-favicon.ico:/usr/lib/GNUstep/SOGo/WebServerResources/img/sogo.ico
- ./data/conf/sogo/custom-theme.js:/usr/lib/GNUstep/SOGo/WebServerResources/js/theme.js:z - ./data/conf/sogo/custom-theme.js:/usr/lib/GNUstep/SOGo/WebServerResources/js/theme.js
- ./data/conf/sogo/custom-sogo.js:/usr/lib/GNUstep/SOGo/WebServerResources/js/custom-sogo.js:z - ./data/conf/sogo/custom-sogo.js:/usr/lib/GNUstep/SOGo/WebServerResources/js/custom-sogo.js
- mysql-socket-vol-1:/var/run/mysqld/ - mysql-socket-vol-1:/var/run/mysqld/
- sogo-web-vol-1:/sogo_web - sogo-web-vol-1:/sogo_web
- sogo-userdata-backup-vol-1:/sogo_backup - sogo-userdata-backup-vol-1:/sogo_backup
security_opt:
- label=disable
labels: labels:
ofelia.enabled: "true" ofelia.enabled: "true"
ofelia.job-exec.sogo_sessions.schedule: "@every 1m" ofelia.job-exec.sogo_sessions.schedule: "@every 1m"
@ -224,18 +238,20 @@ services:
cap_add: cap_add:
- NET_BIND_SERVICE - NET_BIND_SERVICE
volumes: volumes:
- ./data/hooks/dovecot:/hooks:Z - ./data/hooks/dovecot:/hooks
- ./data/conf/dovecot:/etc/dovecot:z - ./data/conf/dovecot:/etc/dovecot
- ./data/assets/ssl:/etc/ssl/mail/:ro,z - ./data/assets/ssl:/etc/ssl/mail/:ro
- ./data/conf/sogo/:/etc/sogo/:z - ./data/conf/sogo/:/etc/sogo/
- ./data/conf/phpfpm/sogo-sso/:/etc/phpfpm/:z - ./data/conf/phpfpm/sogo-sso/:/etc/phpfpm/
- vmail-vol-1:/var/vmail - vmail-vol-1:/var/vmail
- vmail-index-vol-1:/var/vmail_index - vmail-index-vol-1:/var/vmail_index
- crypt-vol-1:/mail_crypt/ - crypt-vol-1:/mail_crypt/
- ./data/conf/rspamd/custom/:/etc/rspamd/custom:z - ./data/conf/rspamd/custom/:/etc/rspamd/custom
- ./data/assets/templates:/templates:z - ./data/assets/templates:/templates
- rspamd-vol-1:/var/lib/rspamd - rspamd-vol-1:/var/lib/rspamd
- mysql-socket-vol-1:/var/run/mysqld/ - mysql-socket-vol-1:/var/run/mysqld/
security_opt:
- label=disable
environment: environment:
- DOVECOT_MASTER_USER=${DOVECOT_MASTER_USER:-} - DOVECOT_MASTER_USER=${DOVECOT_MASTER_USER:-}
- DOVECOT_MASTER_PASS=${DOVECOT_MASTER_PASS:-} - DOVECOT_MASTER_PASS=${DOVECOT_MASTER_PASS:-}
@ -300,13 +316,15 @@ services:
depends_on: depends_on:
- mysql-mailcow - mysql-mailcow
volumes: volumes:
- ./data/hooks/postfix:/hooks:Z - ./data/hooks/postfix:/hooks
- ./data/conf/postfix:/opt/postfix/conf:z - ./data/conf/postfix:/opt/postfix/conf
- ./data/assets/ssl:/etc/ssl/mail/:ro,z - ./data/assets/ssl:/etc/ssl/mail/:ro
- postfix-vol-1:/var/spool/postfix - postfix-vol-1:/var/spool/postfix
- crypt-vol-1:/var/lib/zeyple - crypt-vol-1:/var/lib/zeyple
- rspamd-vol-1:/var/lib/rspamd - rspamd-vol-1:/var/lib/rspamd
- mysql-socket-vol-1:/var/run/mysqld/ - mysql-socket-vol-1:/var/run/mysqld/
security_opt:
- label=disable
environment: environment:
- LOG_LINES=${LOG_LINES:-9999} - LOG_LINES=${LOG_LINES:-9999}
- TZ=${TZ} - TZ=${TZ}
@ -334,6 +352,8 @@ services:
memcached-mailcow: memcached-mailcow:
image: memcached:alpine image: memcached:alpine
restart: always restart: always
security_opt:
- label=disable
environment: environment:
- TZ=${TZ} - TZ=${TZ}
networks: networks:
@ -371,12 +391,14 @@ services:
- ALLOW_ADMIN_EMAIL_LOGIN=${ALLOW_ADMIN_EMAIL_LOGIN:-n} - ALLOW_ADMIN_EMAIL_LOGIN=${ALLOW_ADMIN_EMAIL_LOGIN:-n}
- ADDITIONAL_SERVER_NAMES=${ADDITIONAL_SERVER_NAMES:-} - ADDITIONAL_SERVER_NAMES=${ADDITIONAL_SERVER_NAMES:-}
volumes: volumes:
- ./data/web:/web:ro,z - ./data/web:/web:ro
- ./data/conf/rspamd/dynmaps:/dynmaps:ro,z - ./data/conf/rspamd/dynmaps:/dynmaps:ro
- ./data/assets/ssl/:/etc/ssl/mail/:ro,z - ./data/assets/ssl/:/etc/ssl/mail/:ro
- ./data/conf/nginx/:/etc/nginx/conf.d/:z - ./data/conf/nginx/:/etc/nginx/conf.d/
- ./data/conf/rspamd/meta_exporter:/meta_exporter:ro,z - ./data/conf/rspamd/meta_exporter:/meta_exporter:ro
- sogo-web-vol-1:/usr/lib/GNUstep/SOGo/ - sogo-web-vol-1:/usr/lib/GNUstep/SOGo/
security_opt:
- label=disable
ports: ports:
- "${HTTPS_BIND:-}:${HTTPS_PORT:-443}:${HTTPS_PORT:-443}" - "${HTTPS_BIND:-}:${HTTPS_PORT:-443}:${HTTPS_PORT:-443}"
- "${HTTP_BIND:-}:${HTTP_PORT:-80}:${HTTP_PORT:-80}" - "${HTTP_BIND:-}:${HTTP_PORT:-80}:${HTTP_PORT:-80}"
@ -414,10 +436,12 @@ services:
- SNAT_TO_SOURCE=${SNAT_TO_SOURCE:-n} - SNAT_TO_SOURCE=${SNAT_TO_SOURCE:-n}
- SNAT6_TO_SOURCE=${SNAT6_TO_SOURCE:-n} - SNAT6_TO_SOURCE=${SNAT6_TO_SOURCE:-n}
volumes: volumes:
- ./data/web/.well-known/acme-challenge:/var/www/acme:z - ./data/web/.well-known/acme-challenge:/var/www/acme
- ./data/assets/ssl:/var/lib/acme/:z - ./data/assets/ssl:/var/lib/acme/
- ./data/assets/ssl-example:/var/lib/ssl-example/:ro,Z - ./data/assets/ssl-example:/var/lib/ssl-example/:ro
- mysql-socket-vol-1:/var/run/mysqld/ - mysql-socket-vol-1:/var/run/mysqld/
security_opt:
- label=disable
restart: always restart: always
networks: networks:
mailcow-network: mailcow-network:
@ -446,6 +470,8 @@ services:
network_mode: "host" network_mode: "host"
volumes: volumes:
- /lib/modules:/lib/modules:ro - /lib/modules:/lib/modules:ro
security_opt:
- label=disable
watchdog-mailcow: watchdog-mailcow:
image: mailcow/watchdog:1.97 image: mailcow/watchdog:1.97
@ -457,7 +483,9 @@ services:
- rspamd-vol-1:/var/lib/rspamd - rspamd-vol-1:/var/lib/rspamd
- mysql-socket-vol-1:/var/run/mysqld/ - mysql-socket-vol-1:/var/run/mysqld/
- postfix-vol-1:/var/spool/postfix - postfix-vol-1:/var/spool/postfix
- ./data/assets/ssl:/etc/ssl/mail/:ro,z - ./data/assets/ssl:/etc/ssl/mail/:ro
security_opt:
- label=disable
restart: always restart: always
environment: environment:
- IPV6_NETWORK=${IPV6_NETWORK:-fd4d:6169:6c63:6f77::/64} - IPV6_NETWORK=${IPV6_NETWORK:-fd4d:6169:6c63:6f77::/64}
@ -534,6 +562,8 @@ services:
restart: always restart: always
volumes: volumes:
- solr-vol-1:/opt/solr/server/solr/dovecot-fts/data - solr-vol-1:/opt/solr/server/solr/dovecot-fts/data
security_opt:
- label=disable
ports: ports:
- "${SOLR_PORT:-127.0.0.1:18983}:8983" - "${SOLR_PORT:-127.0.0.1:18983}:8983"
environment: environment:
@ -548,6 +578,8 @@ services:
olefy-mailcow: olefy-mailcow:
image: mailcow/olefy:1.11 image: mailcow/olefy:1.11
restart: always restart: always
security_opt:
- label=disable
environment: environment:
- TZ=${TZ} - TZ=${TZ}
- OLEFY_BINDADDRESS=0.0.0.0 - OLEFY_BINDADDRESS=0.0.0.0