View previous topic :: View next topic |
Author |
Message |
Da51d n00b
Joined: 27 Mar 2024 Posts: 12
|
Posted: Mon Apr 08, 2024 10:13 pm Post subject: Neomutt apparmor gpg sql mistake |
|
|
Hello everyone,
I installed neomutt as an email client. I set it up for icloud email, and placed my "app specific" passwords in an encrypted file, which neomutt read via a line in Code: | ~/.config/mutt/muttrc:
source "gpg -dq $XDG_CONFIG_HOME/mutt/passwords.gpg |" |
It all worked fine, and I was happily communicating away. Then I created an apparmor profile from scratch for it, and went through the whole process of appeasing the complaints in the audit.log, via aa-logprof, edit, reload, try again etc. During this process, the following list of rules evolved regarding gnupg:
Code: | /usr/bin/gpg mrix,
/usr/bin/gpg-agent mrix,
owner /home/*/.gnupg/* l,
owner /run/user/1000/gnupg/ w,
owner /run/user/1000/gnupg/S.gpg-agent w,
owner /run/user/1000/gnupg/S.gpg-agent.browser w,
owner /run/user/1000/gnupg/S.gpg-agent.extra w,
owner /run/user/1000/gnupg/S.gpg-agent.ssh w,
owner /run/user/1000/gnupg/S.keyboxd w,
owner /run/user/1000/gnupg/S.scdaemon w,
owner /home/*/.gnupg/* l,
owner /home/*/.gnupg/* w,
owner /home/*/.gnupg/.#lk0x00005562d84fe440.kryten.3452 w,
owner /home/*/.gnupg/.#lk0x000055b3fe806fc0.kryten.7257 w,
owner /home/*/.gnupg/common.conf r,
owner /home/*/.gnupg/private-keys-v1.d/ rw,
owner /home/*/.gnupg/private-keys-v1.d/* r,
owner /home/*/.gnupg/public-keys.d/ w,
owner /home/*/.gnupg/public-keys.d/* l,
owner /home/*/.gnupg/public-keys.d/* r,
owner /home/*/.gnupg/public-keys.d/* w, |
But something has gone wrong. The following commands and output describe the problem in a nutshell:
Code: | ~ $ neomutt
gpg: keydb_search failed: SQL library used incorrectly
gpg: public key decryption failed: No secret key
gpg: decryption failed: No secret key
~ $ gpg --list-keys
gpg: keydb_search_first failed: SQL library used incorrectly
~ $ gpg --decrypt .config/mutt/passwords.gpg
gpg: keydb_search failed: SQL library used incorrectly
gpg: encrypted with RSA key, ID 255D6054F21066E6
gpg: keydb_search failed: SQL library used incorrectly
gpg: public key decryption failed: No secret key
gpg: decryption failed: No secret key |
Can anyone shed any light on this unwholesome state of affairs? or possibly point me in the right direction? Has my key gone forever?
[Moderator edit: added [code] tags to preserve output layout. -- pietinger] |
|
Back to top |
|
|
pietinger Moderator
Joined: 17 Oct 2006 Posts: 5104 Location: Bavaria
|
Posted: Tue Apr 09, 2024 11:52 am Post subject: Re: Neomutt apparmor gpg sql mistake |
|
|
Da51d wrote: | [...] Has my key gone forever? |
This question can easily be answered by starting these gpg commands without activated AA profiles.
If these error messages still appear, something is probably broken.
If not, then we "only" have a problem with the AA profile. This seems incomplete to me; are you including other (base-) profiles?
I use the "Kontact" program from the KDE/Plasma Suite, which in turn starts "Kmail", which also uses gpg in my case. I had to allow a lot more here; but I also made it easier for myself by summarizing a few things, e.g:
Code: | /usr/bin/gpg rix,
/usr/bin/gpgconf rix,
/usr/bin/gpgsm rix,
/usr/bin/gpg-agent rix,
owner /proc/[0-9]*/task/[0-9]*/comm rw,
owner /run/user/[0-9]*/{,**} rwk,
owner /run/user/[0-9]*/*socket lrw -> /run/user/[0-9]*/#[0-9]*,
owner /home/*/.gnupg/{,**} rwk,
owner /home/*/.gnupg/** l -> /home/*/.gnupg/**, |
(This is not complete; you will find my profile in my (german) post here:
https://forums.gentoo.org/viewtopic-p-8541691.html#8541691 ) _________________ https://wiki.gentoo.org/wiki/User:Pietinger |
|
Back to top |
|
|
Da51d n00b
Joined: 27 Mar 2024 Posts: 12
|
Posted: Tue Apr 09, 2024 4:31 pm Post subject: |
|
|
Thankyou once again Pietinger. It seems the key was lost. Even disabling apparmor, I had the same output. The key was not important, I only created it for this purpose. The selection of rules I posted, was only those relating to gpg, and not the whole profile. I tried also to create a profile for pulseaudio, and was possibly over zealous with the use of globbing characters to speed things up. I lost all sound, and that too did not recover when apparmor was disabled. I have started again, and will be more careful this time. It is easy to become impatient during the debugging process.Thanks again, I'll get there in the end and learn a lot along the way. _________________ What can be said at all can be said clearly and what we cannot talk about we must pass over in silence. |
|
Back to top |
|
|
pietinger Moderator
Joined: 17 Oct 2006 Posts: 5104 Location: Bavaria
|
Posted: Wed Apr 10, 2024 12:05 pm Post subject: |
|
|
Da51d wrote: | Thankyou once again Pietinger. It seems the key was lost. Even disabling apparmor, I had the same output. [...] |
Thanks for your report ... and ...
That's sad ... my only explanation would be that gpg wanted to write something AND could write the first part, but couldn't write a second part (because of AA), and that's why this in-between situation happened (but I am not a gpg expert). _________________ https://wiki.gentoo.org/wiki/User:Pietinger |
|
Back to top |
|
|
Da51d n00b
Joined: 27 Mar 2024 Posts: 12
|
Posted: Wed Apr 10, 2024 2:49 pm Post subject: |
|
|
This was my thinking too. I think this is a problem that can arise if the policy is set to enforce mode rather than complain mode during the debugging process. I think something similar happened with pulseaudio too. I am now being very careful and testing everything over and over before setting to enforce mode. _________________ What can be said at all can be said clearly and what we cannot talk about we must pass over in silence. |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|