What is the list of SELinux settings Passbolt needs?

Is there a list available for SELinux settings Passbolt needs? Like write-access files and folders and booleans?

As far as I know SE Linux is enabled by default on Centos and passbolt installation on Centos do not require any special SELinux configuration items.
But maybe i’m missing something.

Yes, but they’re not forthcoming. There are a number of closed issues in GitHub that point towards this. I struggled getting the GPG ring to be recognised by the apache user so while health check came back fine, the software couldn’t identify the key within the ring.

sudo chcon -R -t httpd_sys_rw_content_t /usr/share/httpd/.gnupg/
setsebool -P httpd_read_user_content 1


1 Like

We have now these settings which seem to be sufficent:

chcon -R -t httpd_sys_rw_content_t /var/cache/nginx/.gnupg
setsebool -P httpd_read_user_content 1
setsebool -P httpd_can_network_connect 1
1 Like


I have been working on the SELinux part for a bit to provide passbolt permissions on centos7. Setup is as follows:

A single Centos7 node that contains:

  • Nginx
  • php-fpm
  • mysql
  • passbolt

In this setup it is recommended to install policycoreutils-python that provides tools such as semanage to easily managing policies.

Grant all the files under www with access for the httpd service (passbolt installation on this setup is under /var/www/passbolt):

semanage fcontext -a -t httpd_sys_content_t '/var/www(/.*)?'

Passbolt also requires write access under tmp in order to store cached files:

semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/passbolt/app/tmp(/.*)?'

Apply changes to the recently installed passbolt files under /var/www:

restorecon -Rv /var/www

Same applies to .gnupg inside nginx home dir:

semanage fcontext -a -t httpd_sys_rw_content_t '/var/lib/nginx/.gnupg(/.*)?'
restorecon -Rv /var/lib/nginx/.gnupg

The permissions could vary depending on your environments so maybe the ones I’m proposing here would not working in your environment (for instance you use a remote database you will need more permissions).
Hopefully this could help you guys. Of course any feedback will be welcome :slight_smile: