On 06.08.2019 23:17, Reio Remma via dovecot wrote:
On 24.06.2019 16:25, Reio Remma wrote:
On 24.06.2019 8:21, Aki Tuomi wrote:
On 22.6.2019 22.00, Reio Remma via dovecot wrote:
Jun 22 16:55:22 host dovecot: dsync-local(user@host.ee)<>: Error: Remote command returned error 84: ssh -i /home/vmail/.ssh/vmail.pem -l vmail backup.host.ee doveadm dsync-server -D -uuser@host.ee
PS: Getting SSH for Dovecot to work with SELinux on CentOS 7 was fun as usual. :) Dovecot under selinux works, as long as you do it the way the policy writer intended, seehttps://linux.die.net/man/8/dovecot_selinux
Aki
For replication over SSH I had to add the following module:
module selinux-dovecot-replication-ssh 1.0;
require { type ssh_exec_t; type ssh_home_t; type dovecot_t; class file { open read execute execute_no_trans }; class dir { getattr search }; }
#============= dovecot_t ============== allow dovecot_t ssh_exec_t:file { open read execute execute_no_trans }; allow dovecot_t ssh_home_t:dir { getattr search }; allow dovecot_t ssh_home_t:file { open read };
ssh_exec_t to allow Dovecot to use ssh executable in the first place and ssh_home_t:dir + ssh_home_t:file for it to be able to read known_hosts from /root/.ssh
Reio
To cut down on selinux exceptions I put the destination host in /etc/ssh/ssh_known_hosts and dovecot successfully replicates, however I get the following log entry for every replicator action:
Aug 6 22:25:59 turin dovecot: doveadm: Error: Could not create directory '/root/.ssh'.
Replication is set up with the user vmail (/home/vmail and SSH key in /home/vmail/.ssh) and the minimum selinux rule to get Dovecot to read the key is:
allow dovecot_t ssh_exec_t:file { execute execute_no_trans open read };
Is there a way I can change from root to vmail user for creating the SSH connection?
Doveconf below:
# 2.3.7.1 (0152c8b10): /etc/dovecot/dovecot.conf
service doveadm { inet_listener http { address = localhost port = 8080 } }
service doveadm { user = vmail }
This seems to have fixed it. Here's hoping for no unforeseen side-effects. :)
I still need allow dovecot_t ssh_exec_t:file { execute execute_no_trans open read }; for selinux, but there are no more errors in maillog and it can read both the key and known_hosts (from either /home/vmail/.ssh/known_hosts or /etc/ssh/ssh_known_hosts).
Reio