Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Neomutt apparmor gpg sql mistake
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Da51d
n00b
n00b


Joined: 27 Mar 2024
Posts: 12

PostPosted: Mon Apr 08, 2024 10:13 pm    Post subject: Neomutt apparmor gpg sql mistake Reply with quote

Hello everyone,
I installed neomutt as an email client. I set it up for icloud email, and placed my "app specific" passwords in an encrypted file, which neomutt read via a line in
Code:
~/.config/mutt/muttrc:
   source "gpg -dq $XDG_CONFIG_HOME/mutt/passwords.gpg |"

It all worked fine, and I was happily communicating away. Then I created an apparmor profile from scratch for it, and went through the whole process of appeasing the complaints in the audit.log, via aa-logprof, edit, reload, try again etc. During this process, the following list of rules evolved regarding gnupg:
Code:
  /usr/bin/gpg mrix,
  /usr/bin/gpg-agent mrix,
  owner /home/*/.gnupg/* l,
  owner /run/user/1000/gnupg/ w,
  owner /run/user/1000/gnupg/S.gpg-agent w,
  owner /run/user/1000/gnupg/S.gpg-agent.browser w,
  owner /run/user/1000/gnupg/S.gpg-agent.extra w,
  owner /run/user/1000/gnupg/S.gpg-agent.ssh w,
  owner /run/user/1000/gnupg/S.keyboxd w,
  owner /run/user/1000/gnupg/S.scdaemon w,
  owner /home/*/.gnupg/* l,
  owner /home/*/.gnupg/* w,
  owner /home/*/.gnupg/.#lk0x00005562d84fe440.kryten.3452 w,
  owner /home/*/.gnupg/.#lk0x000055b3fe806fc0.kryten.7257 w,
  owner /home/*/.gnupg/common.conf r,
  owner /home/*/.gnupg/private-keys-v1.d/ rw,
  owner /home/*/.gnupg/private-keys-v1.d/* r,
  owner /home/*/.gnupg/public-keys.d/ w,
  owner /home/*/.gnupg/public-keys.d/* l,
  owner /home/*/.gnupg/public-keys.d/* r,
  owner /home/*/.gnupg/public-keys.d/* w,

But something has gone wrong. The following commands and output describe the problem in a nutshell:
Code:
  ~ $ neomutt
  gpg: keydb_search failed: SQL library used incorrectly
  gpg: public key decryption failed: No secret key
  gpg: decryption failed: No secret key
  ~ $ gpg --list-keys
  gpg: keydb_search_first failed: SQL library used incorrectly
  ~ $ gpg --decrypt .config/mutt/passwords.gpg
  gpg: keydb_search failed: SQL library used incorrectly
  gpg: encrypted with RSA key, ID 255D6054F21066E6
  gpg: keydb_search failed: SQL library used incorrectly
  gpg: public key decryption failed: No secret key
  gpg: decryption failed: No secret key

Can anyone shed any light on this unwholesome state of affairs? or possibly point me in the right direction? Has my key gone forever?

[Moderator edit: added [code] tags to preserve output layout. -- pietinger]
Back to top
View user's profile Send private message
pietinger
Moderator
Moderator


Joined: 17 Oct 2006
Posts: 5104
Location: Bavaria

PostPosted: Tue Apr 09, 2024 11:52 am    Post subject: Re: Neomutt apparmor gpg sql mistake Reply with quote

Da51d wrote:
[...] Has my key gone forever?

This question can easily be answered by starting these gpg commands without activated AA profiles.

If these error messages still appear, something is probably broken.

If not, then we "only" have a problem with the AA profile. This seems incomplete to me; are you including other (base-) profiles?

I use the "Kontact" program from the KDE/Plasma Suite, which in turn starts "Kmail", which also uses gpg in my case. I had to allow a lot more here; but I also made it easier for myself by summarizing a few things, e.g:
Code:
/usr/bin/gpg  rix,
/usr/bin/gpgconf  rix,
/usr/bin/gpgsm  rix,
/usr/bin/gpg-agent  rix,

owner /proc/[0-9]*/task/[0-9]*/comm  rw,

owner /run/user/[0-9]*/{,**}  rwk,
owner /run/user/[0-9]*/*socket lrw -> /run/user/[0-9]*/#[0-9]*,

owner /home/*/.gnupg/{,**}  rwk,
owner /home/*/.gnupg/**  l -> /home/*/.gnupg/**,

(This is not complete; you will find my profile in my (german) post here:
https://forums.gentoo.org/viewtopic-p-8541691.html#8541691 )
_________________
https://wiki.gentoo.org/wiki/User:Pietinger
Back to top
View user's profile Send private message
Da51d
n00b
n00b


Joined: 27 Mar 2024
Posts: 12

PostPosted: Tue Apr 09, 2024 4:31 pm    Post subject: Reply with quote

Thankyou once again Pietinger. It seems the key was lost. Even disabling apparmor, I had the same output. The key was not important, I only created it for this purpose. The selection of rules I posted, was only those relating to gpg, and not the whole profile. I tried also to create a profile for pulseaudio, and was possibly over zealous with the use of globbing characters to speed things up. I lost all sound, and that too did not recover when apparmor was disabled. I have started again, and will be more careful this time. It is easy to become impatient during the debugging process.Thanks again, I'll get there in the end and learn a lot along the way.
_________________
What can be said at all can be said clearly and what we cannot talk about we must pass over in silence.
Back to top
View user's profile Send private message
pietinger
Moderator
Moderator


Joined: 17 Oct 2006
Posts: 5104
Location: Bavaria

PostPosted: Wed Apr 10, 2024 12:05 pm    Post subject: Reply with quote

Da51d wrote:
Thankyou once again Pietinger. It seems the key was lost. Even disabling apparmor, I had the same output. [...]

Thanks for your report ... and ...

That's sad ... my only explanation would be that gpg wanted to write something AND could write the first part, but couldn't write a second part (because of AA), and that's why this in-between situation happened (but I am not a gpg expert).
_________________
https://wiki.gentoo.org/wiki/User:Pietinger
Back to top
View user's profile Send private message
Da51d
n00b
n00b


Joined: 27 Mar 2024
Posts: 12

PostPosted: Wed Apr 10, 2024 2:49 pm    Post subject: Reply with quote

This was my thinking too. I think this is a problem that can arise if the policy is set to enforce mode rather than complain mode during the debugging process. I think something similar happened with pulseaudio too. I am now being very careful and testing everything over and over before setting to enforce mode.
_________________
What can be said at all can be said clearly and what we cannot talk about we must pass over in silence.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum