Dovecot replication and userdb "noreplicate".

Reio Remma reio at mrstuudio.ee
Tue Aug 6 23:52:03 EEST 2019 

On 06.08.2019 23:17, Reio Remma via dovecot wrote:
> On 24.06.2019 16:25, Reio Remma wrote:
>> On 24.06.2019 8:21, Aki Tuomi wrote:
>>> On 22.6.2019 22.00, Reio Remma via dovecot wrote:
>>>> Jun 22 16:55:22 host dovecot: dsync-local(user at host.ee)<>: Error:
>>>> Remote command returned error 84: ssh -i /home/vmail/.ssh/vmail.pem -l
>>>> vmail backup.host.ee doveadm dsync-server -D -uuser at host.ee
>>>>
>>>> PS: Getting SSH for Dovecot to work with SELinux on CentOS 7 was fun
>>>> as usual. :)
>>> Dovecot under selinux works, as long as you do it the way the policy
>>> writer intended, seehttps://linux.die.net/man/8/dovecot_selinux
>>>
>>> Aki
>>
>> For replication over SSH I had to add the following module:
>>
>> module selinux-dovecot-replication-ssh 1.0;
>>
>> require {
>>          type ssh_exec_t;
>>          type ssh_home_t;
>>          type dovecot_t;
>>          class file { open read execute execute_no_trans };
>>          class dir { getattr search };
>> }
>>
>> #============= dovecot_t ==============
>> allow dovecot_t ssh_exec_t:file { open read execute execute_no_trans };
>> allow dovecot_t ssh_home_t:dir { getattr search };
>> allow dovecot_t ssh_home_t:file { open read };
>>
>> ssh_exec_t to allow Dovecot to use ssh executable in the first place 
>> and ssh_home_t:dir + ssh_home_t:file for it to be able to read 
>> known_hosts from /root/.ssh
>>
>> Reio
>
> To cut down on selinux exceptions I put the destination host in 
> /etc/ssh/ssh_known_hosts and dovecot successfully replicates, however 
> I get the following log entry for every replicator action:
>
> Aug  6 22:25:59 turin dovecot: doveadm: Error: Could not create 
> directory '/root/.ssh'.
>
> Replication is set up with the user vmail (/home/vmail and SSH key in 
> /home/vmail/.ssh) and the minimum selinux rule to get Dovecot to read 
> the key is:
>
> allow dovecot_t ssh_exec_t:file { execute execute_no_trans open read };
>
> Is there a way I can change from root to vmail user for creating the 
> SSH connection?
>
> Doveconf below:
>
> # 2.3.7.1 (0152c8b10): /etc/dovecot/dovecot.conf
>
> service doveadm {
>   inet_listener http {
>     address = localhost
>     port = 8080
>   }
> }

service doveadm {
     user = vmail
}

This seems to have fixed it. Here's hoping for no unforeseen 
side-effects. :)

I still need allow dovecot_t ssh_exec_t:file { execute execute_no_trans 
open read }; for selinux, but there are no more errors in maillog and it 
can read both the key and known_hosts (from either 
/home/vmail/.ssh/known_hosts or /etc/ssh/ssh_known_hosts).

Reio
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://dovecot.org/pipermail/dovecot/attachments/20190806/34715e23/attachment-0001.html>

More information about the dovecot mailing list