So on the SELinux configuration page, they suggest SELinux contexts to set at the top and then I noticed they said the following at the bottom:
It is much stronger security to have a more fine-grained ruleset as in the examples at the beginning, so use this only for testing and troubleshooting. It has a similar effect to disabling SELinux, so don’t use it on production systems.
Does anyone have experience with such a fine-grained ruleset for Nextcloud? When I take a look at the directory structure I cannot really imagine what folders/files can do away with the
rw context. They say the following directories should have
rw: /var/www/html/nextcloud/data, /var/www/html/nextcloud/config, and /var/www/html/nextcloud/apps. Data is obvious, since you need to write new data. I guess you could do away with the config directory and only allow
config.php, but what about the apps? And what security will you gain by having a more fine-grained ruleset?
For reference I am running Fedora 32 and nginx as a webserver.
Basically, what SELinux ruleset does the community use and why?