<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 06.08.2019 23:17, Reio Remma via
dovecot wrote:<br>
</div>
<blockquote type="cite"
cite="mid:9656642e-c227-5c61-03c8-908bae23bc8a@mrstuudio.ee">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<div class="moz-cite-prefix">On 24.06.2019 16:25, Reio Remma
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:8f47d6de-3f0c-7ede-30cd-41adcf20ba61@mrstuudio.ee">
<meta http-equiv="Content-Type" content="text/html;
charset=UTF-8">
<div class="moz-cite-prefix">On 24.06.2019 8:21, Aki Tuomi
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:5ba1cedc-c6e2-1943-b5cc-3c86d8f6fed4@open-xchange.com">
<pre class="moz-quote-pre" wrap="">On 22.6.2019 22.00, Reio Remma via dovecot wrote:
</pre>
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">Jun 22 16:55:22 host dovecot: dsync-local(<a class="moz-txt-link-abbreviated" href="mailto:user@host.ee" moz-do-not-send="true">user@host.ee</a>)<>: Error:
Remote command returned error 84: ssh -i /home/vmail/.ssh/vmail.pem -l
vmail backup.host.ee doveadm dsync-server -D -u <a class="moz-txt-link-abbreviated" href="mailto:user@host.ee" moz-do-not-send="true">user@host.ee</a>
PS: Getting SSH for Dovecot to work with SELinux on CentOS 7 was fun
as usual. :)
</pre>
</blockquote>
<pre class="moz-quote-pre" wrap="">Dovecot under selinux works, as long as you do it the way the policy
writer intended, see <a class="moz-txt-link-freetext" href="https://linux.die.net/man/8/dovecot_selinux" moz-do-not-send="true">https://linux.die.net/man/8/dovecot_selinux</a>
Aki
</pre>
</blockquote>
<br>
For replication over SSH I had to add the following module:<br>
<br>
<pre>module selinux-dovecot-replication-ssh 1.0;
require {
type ssh_exec_t;
type ssh_home_t;
type dovecot_t;
class file { open read execute execute_no_trans };
class dir { getattr search };
}
#============= dovecot_t ==============
allow dovecot_t ssh_exec_t:file { open read execute execute_no_trans };
allow dovecot_t ssh_home_t:dir { getattr search };
allow dovecot_t ssh_home_t:file { open read };
</pre>
<br>
ssh_exec_t to allow Dovecot to use ssh executable in the first
place and ssh_home_t:dir + ssh_home_t:file for it to be able to
read known_hosts from /root/.ssh<br>
<br>
Reio<br>
</blockquote>
<br>
To cut down on selinux exceptions I put the destination host in
/etc/ssh/ssh_known_hosts and dovecot successfully replicates,
however I get the following log entry for every replicator action:<br>
<br>
Aug 6 22:25:59 turin dovecot: doveadm: Error: Could not create
directory '/root/.ssh'.<br>
<br>
Replication is set up with the user vmail (/home/vmail and SSH key
in /home/vmail/.ssh) and the minimum selinux rule to get Dovecot
to read the key is:<br>
<br>
allow dovecot_t ssh_exec_t:file { execute execute_no_trans open
read };<br>
<br>
Is there a way I can change from root to vmail user for creating
the SSH connection?<br>
<br>
Doveconf below:<br>
<br>
# 2.3.7.1 (0152c8b10): /etc/dovecot/dovecot.conf<br>
<br>
service doveadm {<br>
inet_listener http {<br>
address = localhost<br>
port = 8080<br>
}<br>
}<br>
</blockquote>
<br>
service doveadm {<br>
user = vmail<br>
}<br>
<br>
This seems to have fixed it. Here's hoping for no unforeseen
side-effects. :)<br>
<br>
I still need allow dovecot_t ssh_exec_t:file { execute
execute_no_trans open read }; for selinux, but there are no more
errors in maillog and it can read both the key and known_hosts (from
either /home/vmail/.ssh/known_hosts or /etc/ssh/ssh_known_hosts).<br>
<br>
Reio<br>
</body>
</html>