Hi!
I have been working on the SELinux part for a bit to provide passbolt permissions on centos7. Setup is as follows:
A single Centos7 node that contains:
- Nginx
- php-fpm
- mysql
- passbolt
In this setup it is recommended to install policycoreutils-python that provides tools such as semanage to easily managing policies.
Grant all the files under www with access for the httpd service (passbolt installation on this setup is under /var/www/passbolt):
semanage fcontext -a -t httpd_sys_content_t '/var/www(/.*)?'
Passbolt also requires write access under tmp in order to store cached files:
semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/passbolt/app/tmp(/.*)?'
Apply changes to the recently installed passbolt files under /var/www:
restorecon -Rv /var/www
Same applies to .gnupg inside nginx home dir:
semanage fcontext -a -t httpd_sys_rw_content_t '/var/lib/nginx/.gnupg(/.*)?'
restorecon -Rv /var/lib/nginx/.gnupg
The permissions could vary depending on your environments so maybe the ones I’m proposing here would not working in your environment (for instance you use a remote database you will need more permissions).
Hopefully this could help you guys. Of course any feedback will be welcome 