403 from Nextcloud after system upgrade

Nextcloud version (eg, 20.0.5):
Operating system and version (eg, Ubuntu 20.04): openSUSE Leap 15.4
Apache or nginx version (eg, Apache 2.4.25): nginx/1.21.5
PHP version (eg, 7.4): 7.4.33

The issue you are facing:
I just upgraded my system from openSUSE 15.3 to 15.4, and when I restarted, my Nextcloud instance started giving 403s on seemingly any request. This is different from the default nginx 403 page - it’s just a blank page with the text Access denied..

I also just upgraded from an older Nextcloud version, but I don’t think that is related, since it was working after the upgrade and before I upgraded my system.

The instance itself seems to be fine:

# sudo -u wwwrun php occ status
  - installed: true
  - version:
  - versionstring: 25.0.8
  - edition: 
  - maintenance: false
  - needsDbUpgrade: false
  - productname: Nextcloud
  - extendedSupport: false

The nginx error.log provides some insight

2023/06/30 11:22:11 [error] 17668#17668: *105813 FastCGI sent in stderr: "PHP message: PHP Warning:  Unknown: failed to open stream: Permission denied in Unknown on line 0Unable to open primary script: /srv/www/htdocs/nextcloud/index.php (Permission denied)" while reading response header from upstream, client:, server: [internal domain name], request: "GET /index.php/apps/photos/service-worker.js HTTP/2.0", upstream: "fastcgi://", host: "[internal domain name]"

but permissions shouldn’t have changed, they look fine, and I’m struggling to figure out what exactly is going wrong here.

Is this the first time you’ve seen this error? (Y/N): Yes

The output of your Nextcloud log in Admin > Logging:
I found the log file with occ, but it’s huge and the last entry was from before I upgraded, so it doesn’t seem relevant to me.

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

$CONFIG = array (
  'instanceid' => '…',
  'passwordsalt' => '…',
  'secret' => '…',
  'trusted_domains' => 
  array (
    0 => '[internal domain name]',
    1 => '',
  'datadirectory' => '/home/server/data/nextcloud',
  'dbtype' => 'mysql',
  'version' => '',
  'overwrite.cli.url' => '[internal domain name]',
  'htaccess.RewriteBase' => '/',
  'dbname' => 'nextcloud',
  'dbhost' => 'localhost:3306',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => '…',
  'dbpassword' => '…',
  'installed' => true,
  'twofactor_enforced' => 'false',
  'twofactor_enforced_groups' => 
  array (
  'twofactor_enforced_excluded_groups' => 
  array (
  'maintenance' => false,
  'theme' => '',
  'loglevel' => 2,
  'app_install_overwrite' => 
  array (
    0 => 'dashboard',
  'memcache.local' => '\\OC\\Memcache\\Redis',
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'redis' => 
  array (
    'host' => '',
    'port' => 6379,
  'updater.secret' => '…',

Output errors in nextcloud.log in /var/www/ or as admin user in top right menu, filtering for errors. Use a pastebin service if necessary.
What? My Nextcloud installation directory doesn’t have any logs.

I found a clue in audit.log - AppArmor was at fault. I don’t know how to use it and I’m lazy, so I just disabled it. Works fine now.