On 24.06.2019 16:25, Reio Remma wrote:

On 24.06.2019 8:21, Aki Tuomi wrote:

On 22.6.2019 22.00, Reio Remma via dovecot wrote:

Jun 22 16:55:22 host dovecot: dsync-local(user@host.ee)<>: Error:
Remote command returned error 84: ssh -i /home/vmail/.ssh/vmail.pem -l
vmail backup.host.ee doveadm dsync-server -D -u user@host.ee

PS: Getting SSH for Dovecot to work with SELinux on CentOS 7 was fun
as usual. :)

Dovecot under selinux works, as long as you do it the way the policy
writer intended, see https://linux.die.net/man/8/dovecot_selinux

Aki

For replication over SSH I had to add the following module:

module selinux-dovecot-replication-ssh 1.0;

require {
        type ssh_exec_t;
        type ssh_home_t;
        type dovecot_t;
        class file { open read execute execute_no_trans };
        class dir { getattr search };
}

#============= dovecot_t ==============
allow dovecot_t ssh_exec_t:file { open read execute execute_no_trans };
allow dovecot_t ssh_home_t:dir { getattr search };
allow dovecot_t ssh_home_t:file { open read };

ssh_exec_t to allow Dovecot to use ssh executable in the first place and ssh_home_t:dir + ssh_home_t:file for it to be able to read known_hosts from /root/.ssh

Reio

To cut down on selinux exceptions I put the destination host in /etc/ssh/ssh_known_hosts and dovecot successfully replicates, however I get the following log entry for every replicator action:

Aug  6 22:25:59 turin dovecot: doveadm: Error: Could not create directory '/root/.ssh'.

Replication is set up with the user vmail (/home/vmail and SSH key in /home/vmail/.ssh) and the minimum selinux rule to get Dovecot to read the key is:

allow dovecot_t ssh_exec_t:file { execute execute_no_trans open read };

Is there a way I can change from root to vmail user for creating the SSH connection?

Doveconf below:

# 2.3.7.1 (0152c8b10): /etc/dovecot/dovecot.conf

service doveadm {
  inet_listener http {
    address = localhost
    port = 8080
  }
}