How to exclude SELINUX protection for NC log

ℹ️ Support
1

I want to set (nextcloud/data/)nextcloud.log in logpath of fail2ban jail, but it is prevented by SELINUX. I followed the guide below to set up SELINUX.
https://docs.nextcloud.com/server/latest/admin_manual/installation/selinux_configuration.html
Currently, I am unable to run fail2ban with SELINUX enabled.

The following does not seem to rule it out. (= not defined)
semanage fcontext -d ‘/var/www/html/nextcloud/data/nextcloud.log’

Do I have to exclude the data directory itself from SELINUX?
I have very limited knowledge of SELINUX so please let me know.

2

I’m not an SELINUX expert either, but maybe this is of any help: Fail2ban does not access the nextcloud log - #6 by bb77

Or maybe it would be even better to place the log file outside of the nextcloud data directory, e.g. in /var/log/

3

I have no permissions to write to /var/log. If /var/vhosts/nextcloud is the main directory of NC, I created /var/hosts/nc_log directory and set log there. nc_log is not configured with SELINUX, but when selinux is enabled, fail2 ban stops.

4

I created a folder/var/log/nextcloud and gave the ownership to the user of the web server. After that Nextcloud should be able to write the log file to this folder. Of course you must also change the path in the config.php.

'logfile' => '/var/log/nextcloud/nextcloud.log',

However that was just an idea how you maybe could work around the SELINUX issue. I’m mostly a Debian/Ubuntu user and I have little to no experience with SELINUX, so I’m not sure if this really helps with the SELINUX issue or what to do, if it doesn’t help…

5

Thank you. But I also created a /var/log/nclog directory and gave it the same user as NC, but I can’t seem to write to it from NC. I can write on ssh but not from NC. A new log file is automatically created in nextcloud/data directory.

6

@zoo3 in case you are family with ansible you’ll find a solution here: nextcloud/selinux.yml at nextcloud-reloaded · ReinerNippes/nextcloud · GitHub

otherwise i have to dig to find the howto that i used to create this solution.

7

Experiencing this issue myself on a new install of NC25 on Rocky 9. SElinux is denying fail2ban access to the nextcloud.log file. Two ways I’ve found to resolve it so far, are as follows.

  1. (I don’t like this option) Use sealert to analyze the audit.log and make a recommendation:
    sealert -a /var/log/audit/audit.log > somefile.txt
    more somefile.txt
found 1 alerts in /var/log/audit/audit.log
--------------------------------------------------------------------------------

SELinux is preventing /usr/bin/python3.9 from search access on the directory data.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that python3.9 should be allowed search access on the data directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'fail2ban-server' --raw | audit2allow -M my-fail2banserver
# semodule -X 300 -i my-fail2banserver.pp
  1. (This is better) It looks like you can set the entire fail2ban process into permissive mode, such that SElinux will continue to enforce on everything else running on the system, but will be permissive for the fail2ban process:

semanage permissive -a fail2ban_t

As described in the man page: https://www.systutorials.com/docs/linux/man/8-fail2ban_selinux/

  1. Personally I don’t like either of the above two options. They both allow fail2ban to access the nextcloud.log file, but IMO neither approach is ideal. The first is a broadsword, and basically allows Python to access the nextcloud data directory. That seems less than ideal from a security standpoint. The second option excludes fail2ban from any selinux enforcement. This is better, but still more than what we really need. I’d like to find a way to very specifically allow fail2ban to access the nextcloud.log file only, since that is all that is needed. I’m not an selinux expert however, so I guess I’ll keep on searching…