Check for expected files failed going from 18.0.3 to 4

RobinL · April 28, 2020, 11:50am

Tried to update my NC 18.0.3 to version 18.0.4, but it didn’t succeed.

When I click “Start update” in the web updater I get back

Check for expected files
The following extra files have been found:

my-df.te
my-df.pp

But no further info what to do about it. Any advice?

devnull · April 28, 2020, 11:58am

Search the files in your nextcloud-path and move them to a place outside nextcloud or to /dev/null

RobinL · April 28, 2020, 12:02pm

Where do these files come from? Why are they considered a blocking issue for version 18.0.4?

j-ed · April 28, 2020, 12:19pm

The files are definitely not part of the Nextcloud package. Open it and check its content to get an idea where they’re coming from. Nextcloud in general verifies the content of its package and all files, which are not part of the original package, are generating the mentioned security warning.

RobinL · April 28, 2020, 12:29pm

Both of the files were created on 2020-03-31 (and last modified)
my-df.pp: SE Linux modular policy version 1, 1 sections, mod version 19, MLS, module name my-df\003
my-df.te: ASCII text

Content of my-df.te is
module my-df 1.0;

require {
type httpd_t;
type configfs_t;
class dir getattr;
}

#============= httpd_t ==============

#!!! The file ‘/sys/kernel/config’ is mislabeled on your system.
#!!! Fix with $ restorecon -R -v /sys/kernel/config
allow httpd_t configfs_t:dir getattr;

j-ed · April 28, 2020, 12:32pm

That’s wahat aunt G. knows about it:
https://bugzilla.redhat.com/show_bug.cgi?id=1380501

RobinL · April 28, 2020, 2:07pm

A bit confused what to make of this.

I checked the page …/nextcloud/index.php/settings/admin/logging and it shows no entries for 2020-03-31 (the day those two files were created). And I don’t remember if I did anything special with NC on that day.

journalctl shows the following message four times for that day

setroubleshoot[10294]: failed to retrieve rpm info for /sys/kernel/config
setroubleshoot[10294]: SELinux is preventing /usr/bin/df from getattr access on the directory /sys/kernel/config. For complete SELinux messages run: sealert -l 1ad922aa-ce69-42b1-8753-64820b6a2917
python[10294]: SELinux is preventing /usr/bin/df from getattr access on the directory /sys/kernel/config.

                                  *****  Plugin catchall (100. confidence) suggests   **************************
                                  
                                  If you believe that df should be allowed getattr access on the config directory by default.
                                  Then you should report this as a bug.
                                  You can generate a local policy module to allow this access.
                                  Do
                                  allow this access for now by executing:
                                  # ausearch -c 'df' --raw | audit2allow -M my-df
                                  # semodule -i my-df.pp

Should I just delete those two files or should I make some changes to SELinux?