What is the list of SELinux settings Passbolt needs?

Installation Issues
1

Is there a list available for SELinux settings Passbolt needs? Like write-access files and folders and booleans?

2

As far as I know SE Linux is enabled by default on Centos and passbolt installation on Centos do not require any special SELinux configuration items.
But maybe i’m missing something.

3

Yes, but they’re not forthcoming. There are a number of closed issues in GitHub that point towards this. I struggled getting the GPG ring to be recognised by the apache user so while health check came back fine, the software couldn’t identify the key within the ring.

sudo chcon -R -t httpd_sys_rw_content_t /usr/share/httpd/.gnupg/
setsebool -P httpd_read_user_content 1

From:

1 Like
4

We have now these settings which seem to be sufficent:

chcon -R -t httpd_sys_rw_content_t /var/cache/nginx/.gnupg
setsebool -P httpd_read_user_content 1
setsebool -P httpd_can_network_connect 1
1 Like
7

Hi!

I have been working on the SELinux part for a bit to provide passbolt permissions on centos7. Setup is as follows:

A single Centos7 node that contains:

  • Nginx
  • php-fpm
  • mysql
  • passbolt

In this setup it is recommended to install policycoreutils-python that provides tools such as semanage to easily managing policies.

Grant all the files under www with access for the httpd service (passbolt installation on this setup is under /var/www/passbolt):

semanage fcontext -a -t httpd_sys_content_t '/var/www(/.*)?'

Passbolt also requires write access under tmp in order to store cached files:

semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/passbolt/app/tmp(/.*)?'

Apply changes to the recently installed passbolt files under /var/www:

restorecon -Rv /var/www

Same applies to .gnupg inside nginx home dir:

semanage fcontext -a -t httpd_sys_rw_content_t '/var/lib/nginx/.gnupg(/.*)?'
restorecon -Rv /var/lib/nginx/.gnupg

The permissions could vary depending on your environments so maybe the ones I’m proposing here would not working in your environment (for instance you use a remote database you will need more permissions).
Hopefully this could help you guys. Of course any feedback will be welcome :slight_smile: