I have no permissions to write to /var/log. If /var/vhosts/nextcloud is the main directory of NC, I created /var/hosts/nc_log directory and set log there. nc_log is not configured with SELINUX, but when selinux is enabled, fail2 ban stops.
I created a folder/var/log/nextcloud and gave the ownership to the user of the web server. After that Nextcloud should be able to write the log file to this folder. Of course you must also change the path in the config.php.
'logfile' => '/var/log/nextcloud/nextcloud.log',
However that was just an idea how you maybe could work around the SELINUX issue. I’m mostly a Debian/Ubuntu user and I have little to no experience with SELINUX, so I’m not sure if this really helps with the SELINUX issue or what to do, if it doesn’t help…
Thank you. But I also created a /var/log/nclog directory and gave it the same user as NC, but I can’t seem to write to it from NC. I can write on ssh but not from NC. A new log file is automatically created in nextcloud/data directory.
Experiencing this issue myself on a new install of NC25 on Rocky 9. SElinux is denying fail2ban access to the nextcloud.log file. Two ways I’ve found to resolve it so far, are as follows.
(I don’t like this option) Use sealert to analyze the audit.log and make a recommendation:
sealert -a /var/log/audit/audit.log > somefile.txt
more somefile.txt
found 1 alerts in /var/log/audit/audit.log
--------------------------------------------------------------------------------
SELinux is preventing /usr/bin/python3.9 from search access on the directory data.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that python3.9 should be allowed search access on the data directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'fail2ban-server' --raw | audit2allow -M my-fail2banserver
# semodule -X 300 -i my-fail2banserver.pp
(This is better) It looks like you can set the entire fail2ban process into permissive mode, such that SElinux will continue to enforce on everything else running on the system, but will be permissive for the fail2ban process:
Personally I don’t like either of the above two options. They both allow fail2ban to access the nextcloud.log file, but IMO neither approach is ideal. The first is a broadsword, and basically allows Python to access the nextcloud data directory. That seems less than ideal from a security standpoint. The second option excludes fail2ban from any selinux enforcement. This is better, but still more than what we really need. I’d like to find a way to very specifically allow fail2ban to access the nextcloud.log file only, since that is all that is needed. I’m not an selinux expert however, so I guess I’ll keep on searching…