Hello @AnatomicJC @Cedric2
Thanks for the time and help, is now working normally.
This is the process.
Check the passbolt-server-selinux, its installed (so, its fine).
$ yum list passbolt-server-selinux
Installed Packages
passbolt-server-selinux.noarch 0.4-1.el8
There are several errors, but they are the same / similar. I am not sure if these are not in the file, or if the process must be done manually. With -w I have more information about the issue.
$ audit2allow -w -a
type=AVC msg=audit(1678225204.939:33402): avc: denied { getattr } for pid=601756 comm=“gpg” path=“/run/user/989/gnupg/d.51ock8mbjgy5imwtzxjtijzc/S.gpg-agent” dev=“tmpfs” ino=4683220 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=sock_file permissive=0
Was caused by:*
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1678226655.543:646): avc: denied { lock } for pid=6262 comm=“php-fpm” path=“/var/lib/passbolt/tmp/cache/persistent/myapp_cake_core_translations.default.en_UK” dev=“dm-0” ino=1116296 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cron_var_lib_t:s0 tclass=file permissive=0
Was caused by:*
Missing type enforcement (TE) allow rule.*
You can use audit2allow to generate a loadable module to allow this access.
“Show” the issues.
$ audit2allow -a
#============= httpd_t ==============
allow httpd_t cron_var_lib_t:file { lock rename };
#!!! This avc can be allowed using one of the these booleans:
# httpd_can_network_connect, httpd_graceful_shutdown, httpd_can_network_relay, nis_enabled
allow httpd_t http_port_t:tcp_socket name_connect;
allow httpd_t user_tmp_t:sock_file { getattr unlink write };
#============= mandb_t ==============
allow mandb_t unlabeled_t:dir search;
#============= systemd_logind_t ==============
allow systemd_logind_t httpd_tmp_t:dir read;
So this is the modules that require a rule. Therefore, I proceed to create it.
$ audit2allow -a -M httpd_t
$ audit2allow -a -M mandb_tt
$ audit2allow -a -M systemd_logind_t
$ audit2allow -a -M httpd_tmp_t
Then I activate the new rules.
$ semodule -i httpd_t.pp
$ semodule -i mandb_t.pp
$ semodule -i systemd_logind_t.pp
$ semodule -i httpd_tmp_t.pp
NOTE: I was in /tmp so new files are created (*.te and *.pp).
Check again, and looks fine. Rules applied.
$ audit2allow -a
#============= httpd_t ==============
#!!! This avc is allowed in the current policy
allow httpd_t cron_var_lib_t:file { lock rename };
#!!! This avc is allowed in the current policy
allow httpd_t http_port_t:tcp_socket name_connect;
#!!! This avc is allowed in the current policy
allow httpd_t user_tmp_t:sock_file { getattr unlink write };
#============= mandb_t ==============
#!!! This avc is allowed in the current policy
allow mandb_t unlabeled_t:dir search;
#============= systemd_logind_t ==============
#!!! This avc is allowed in the current policy
allow systemd_logind_t httpd_tmp_t:dir read;
Until I made these new ones I remembered that I had the file with the passbolt rules in a tab in the web browser. I’m not sure if it needs to be reloaded, but I did it.
Download the file.
$ wget … passbolt_api/passbolt-server.te at 8aae10821c655b433a9050684a99b785607255f4 · passbolt/passbolt_api · GitHub
“Process” the file.
$ audit2allow -a -M passbolt-server.te
And execute the rule.
$ sudo semodule -i passbolt-server.te.pp
I restarted the nginx service, checked again and now the creation of accounts by users is possible 
Regards.