Issue with new account creation - Oracle Linux 8.5 - v3.11 - OpenPGP key can not be used to encrypt [SELINUX]

Checklist
I have read intro post: About the Installation Issues category
I have read the tutorials, help and searched for similar issues
I provide relevant information about my server (component names and versions, etc.)
I provide a copy of my logs and healthcheck
I describe the steps I have taken to trouble shoot the problem
I describe the steps on how to reproduce the issue

Hello,

I have a VM created in Vsphere 6.7 using Oracle Linux 8.5, the Passbolt CE version is updated and corresponds to 3.11; it has 4 cores and 8 GB RAM allocated and 40 GB (in terms of cores, RAM and hard disk space is normal).

At present the administrator users and those who have created their account can log in normally (via the plugin in the browsers, or directly in the browsers), create new passwords and groups, share, etc. In general the operation is normal.

The problem we have is with new users; when they trying to configure the account gives an error.

Process.

• Login using an admin account.
• The new account is created for a collaborator in Passbolt.
• The new collaborator enters the link and tries to create the account.
• He/she receives the error message that it is not feasible to create the account.
• OpenPGP key cannot be used for encrypting.

Error Message.

OpenPGP key cannot be used for encrypting

{
“code”: 400,
“body”: {
“gpgkey”: {
“gpgkey”: { “OpenPGP key cannot be used for encryption.”
}
}
}

06-03-2023_16-42-05486×698 35 KB

I’ve searched the forum for help, there are similar issues but I haven’t found the solution yet.

The OpenPGP key can not be used to encrypt
Facing "The OpenPGP key can not be used to encrypt." while installation is from source code
GPG-Key creation failed
Error 400 - "armored_key": "The OpenPGP key can not be used to encrypt." [pubring.kbx file permissions] - #8 by Cedric2

Entropy is at 256, which at least for password creation and normal use does not seem to be a problem.
Is it necessary to increase entropy, or install rng-tools?

$ cat /proc/sys/kernel/random/entropy_avail
256

The server’s private and public keys were created during installation in January, and seem to be fine; there is no expiration date.

$ gpg --show-keys /etc/passbolt/gpg/serverkey.asc

pub rsa3072 2023-01-20 [SC]
3940…E3B9
uid server.domain.org (Passbolt) email@server.domain.org
sub rsa3072 2023-01-20 [E]

*for security reasons change / simplify some data.

One factor could be the time, but observing the server time is correct (NTP is used). Have the same our that my laptop.

Server time
$ timedatectl
Local time: Mon 2023-03-06 17:05:00 CST
Universal time: Mon 2023-03-06 23:05:00 UTC
RTC time: Mon 2023-03-06 23:05:00
Time zone: America/Costa_Rica (CST, -0600)
System clock synchronized: yes
NTP service: active
RTC in local TZ: no

Laptop time (Windows 10 x64)
05:05 PM

The pubring.kbx looks fine (owner nginx).
$ ls -lh ./var/lib/passbolt/.gnupg/pubring.kbx
-rw-r–r–. 1 nginx nginx 14K Jan 23 19:36 ./var/lib/passbolt/.gnupg/pubring.kbx

Passbolt API status

Environment
PHP version 8.1.16. > Pass
PCRE compiled with unicode support. > Pass
Temporary directory and its contents are writable and not executable. > Pass
The logs directory and its contents are writable. > Pass
GD or Imagick extension is installed. > Pass
The Intl extension is installed. > Pass
Mbstring extension is installed. > Pass
SSL access is enabled. > Pass

Configuration files
Application configuration file is present > Pass
The passbolt configuration file is present > Pass

Core config
Debugging mode is disabled. > Pass
Cache is working. > Pass
Single value set for security.salt > Pass
Full base url is set to https://server.domain.org/passbolt. > Pass
App.fullBaseUrl validation OK. > Pass
Could not reach /healthcheck/status with url specified in App.fullBaseUrl > Error (maybe for the reverse proxy)

Database
The application can connect to the database > Pass
26 tables found > Pass
Some default content is present > Pass
Database schema is up to date. > Pass

GPG configuration
The PHP GPG module is installed and loaded. > Pass
The environment variable GNUPGHOME is set to /var/lib/passbolt/.gnupg. > Pass
The web server user can write to the /var/lib/passbolt/.gnupg directory containing the keychain. > Pass
The OpenPGP key on the server is not the default key. > Pass
The public key file is defined in /etc/passbolt/passbolt.php and is readable. > Pass
The private key file is defined in /etc/passbolt/passbolt.php and is readable. > Pass
The fingerprint of the server key matches that defined in /etc/passbolt/passbolt/passbolt.php. > Pass
The server public key defined in /etc/passbolt/passbolt.php (or environment variables) is in the keyring. > Pass
There is a valid email identifier defined for the server key. > Pass
The public key can be used to encrypt a message. > Pass
The private key can be used to sign a message. > Pass
The public and private keys can be used to encrypt and sign a message. > Pass
The private key can be used to decrypt a message. > Pass
The private key can be used to decrypt and verify a message. > Pass
The public key can be used to verify a signature. > Pass
The public key format of the server is supported by Gopengpg. > Pass
The server’s private key format is Gopengpg-compliant. > Pass

Application configuration
Unable to connect to the passbolt repository to check versions It is not possible to check if your version is up to date. > Error (its updated, v3.11)
Passbolt is configured to force the use of SSL. > Pass
App.fullBaseUrl is configured as HTTPS. > Pass
Selenium API endpoints are disabled. > Pass
Search engine robots are told not to index the content. > Pass
Self Registration plugin is enabled. > Pass
Registration is closed, only administrators can add users. > Pass
Obsolete self-registration public configuration was found in /etc/passbolt/passbolt.php. > > Warning
Host availability check is disabled. > Warning
Serving the compiled version of the javascript application. > Pass
Some email notifications are disabled by the administrator. > Warning

Any recommendations on what to validate?

Regards.

Hi darkman,

Do you have SELINUX activated on your server ?

Can you check if you have any error with selinux by typing this command ?

tail -f /var/log/audit/audit.log

And look if you have any “Deny”

Regards.

Hello @Cedric2

Thanks for your time.

Do you have SELINUX activated on your server ?
Yes.

$ sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 31

Can you check if you have any error with selinux by typing this command ?
tail -f /var/log/audit/audit.log
Sure. In summary, these are the deny messages that we have.

Folder privileges.
$ ls -lh /var/lib/passbolt/tmp/cache/persistent/
total 480K
-rw-rw-r–. 1 nginx nginx 94K Mar 6 13:46 myapp_cake_core_translations.cake.en_UK
-rw-rw-r–. 1 nginx nginx 143K Mar 6 13:45 myapp_cake_core_translations.cake.es_ES
-rw-rw-r–. 1 nginx nginx 94K Mar 6 13:45 myapp_cake_core_translations.default.en_UK
-rw-rw-r–. 1 nginx nginx 143K Mar 6 13:45 myapp_cake_core_translations.default.es_ES

Policycoreutils-python-utils is installed.
$ yum install policycoreutils-python-utils
Package policycoreutils-python-utils-2.9-20.0.1.el8.noarch is already installed.

What is the recommendation? set SELinux to Permissive? or keep it as is and add “exceptions” / semanage ?

There is a post with similar information. but im not sure about the folders locations. Checking the locations it seems to me that for OL they are a little different that the used in the post. The one that may be similar is /var/lib/nginx/

Regards.

Hi,

On RHEL distros and derivatives, there is a passbolt-server-selinux package installed, containing specific SELinux rules to make passbolt work with that.

You could find these rules in passbolt source code but it seems they have been moved elsewhere.

Here is an example you can find on this archive:

module passbolt-server 0.2;

require {
	type etc_t;
	type unreserved_port_t;
	type smtp_port_t;
	type var_lib_t;
	type httpd_t;
	type httpd_var_lib_t;
    type var_log_t;
	type cron_var_lib_t;
	type postfix_local_t;
	type mysqld_port_t;
    class sock_file { getattr setattr unlink write create };
	class dir { add_name setattr write };
	class file { create rename write unlink setattr open getattr read };
    class tcp_socket name_connect;
    class process setrlimit;
    class dir search;
}

#============= httpd_t ==============
allow httpd_t etc_t:dir { add_name setattr write };
allow httpd_t etc_t:file { create write setattr };
allow httpd_t var_lib_t:dir setattr;
allow httpd_t var_lib_t:file { write rename unlink };
allow httpd_t var_lib_t:sock_file { create getattr unlink write setattr };
allow httpd_t var_log_t:file { write open };
allow httpd_t unreserved_port_t:tcp_socket name_connect;
allow httpd_t smtp_port_t:tcp_socket name_connect;
allow httpd_t self:process setrlimit;
allow httpd_t cron_var_lib_t:file { getattr read write open };
allow httpd_t mysqld_port_t:tcp_socket name_connect;

#============= postfix_local_t ==============
allow postfix_local_t httpd_var_lib_t:dir search;

These rules are generated with the command audit2allow -a. This command will analyze the audit.log file and in case of issues will display the lines who must be added in the above file and a new passbolt-server-selinux package must be released.

Hope this help,

Hello @AnatomicJC @Cedric2

Thanks for the time and help, is now working normally.

This is the process.

Check the passbolt-server-selinux, its installed (so, its fine).

$ yum list passbolt-server-selinux

Installed Packages
passbolt-server-selinux.noarch 0.4-1.el8

There are several errors, but they are the same / similar. I am not sure if these are not in the file, or if the process must be done manually. With -w I have more information about the issue.

$ audit2allow -w -a

type=AVC msg=audit(1678225204.939:33402): avc: denied { getattr } for pid=601756 comm=“gpg” path=“/run/user/989/gnupg/d.51ock8mbjgy5imwtzxjtijzc/S.gpg-agent” dev=“tmpfs” ino=4683220 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=sock_file permissive=0
Was caused by:*
Missing type enforcement (TE) allow rule.

You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1678226655.543:646): avc: denied { lock } for pid=6262 comm=“php-fpm” path=“/var/lib/passbolt/tmp/cache/persistent/myapp_cake_core_translations.default.en_UK” dev=“dm-0” ino=1116296 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cron_var_lib_t:s0 tclass=file permissive=0
Was caused by:*
Missing type enforcement (TE) allow rule.*

You can use audit2allow to generate a loadable module to allow this access.

“Show” the issues.

$ audit2allow -a

#============= httpd_t ==============
allow httpd_t cron_var_lib_t:file { lock rename };

#!!! This avc can be allowed using one of the these booleans:
# httpd_can_network_connect, httpd_graceful_shutdown, httpd_can_network_relay, nis_enabled
allow httpd_t http_port_t:tcp_socket name_connect;
allow httpd_t user_tmp_t:sock_file { getattr unlink write };

#============= mandb_t ==============
allow mandb_t unlabeled_t:dir search;

#============= systemd_logind_t ==============
allow systemd_logind_t httpd_tmp_t:dir read;

So this is the modules that require a rule. Therefore, I proceed to create it.

$ audit2allow -a -M httpd_t
$ audit2allow -a -M mandb_tt
$ audit2allow -a -M systemd_logind_t
$ audit2allow -a -M httpd_tmp_t

Then I activate the new rules.

$ semodule -i httpd_t.pp
$ semodule -i mandb_t.pp
$ semodule -i systemd_logind_t.pp
$ semodule -i httpd_tmp_t.pp

NOTE: I was in /tmp so new files are created (*.te and *.pp).

Check again, and looks fine. Rules applied.

$ audit2allow -a

#============= httpd_t ==============

#!!! This avc is allowed in the current policy
allow httpd_t cron_var_lib_t:file { lock rename };

#!!! This avc is allowed in the current policy
allow httpd_t http_port_t:tcp_socket name_connect;

#!!! This avc is allowed in the current policy
allow httpd_t user_tmp_t:sock_file { getattr unlink write };

#============= mandb_t ==============

#!!! This avc is allowed in the current policy
allow mandb_t unlabeled_t:dir search;

#============= systemd_logind_t ==============

#!!! This avc is allowed in the current policy
allow systemd_logind_t httpd_tmp_t:dir read;

Until I made these new ones I remembered that I had the file with the passbolt rules in a tab in the web browser. I’m not sure if it needs to be reloaded, but I did it.

Download the file.
$ wget … passbolt_api/passbolt-server.te at 8aae10821c655b433a9050684a99b785607255f4 · passbolt/passbolt_api · GitHub

“Process” the file.

$ audit2allow -a -M passbolt-server.te

And execute the rule.

$ sudo semodule -i passbolt-server.te.pp

I restarted the nginx service, checked again and now the creation of accounts by users is possible

Regards.