SELinux, PHP-FPM and write access to config.php

Nextcloud version: 22.2.0 (fresh installation)
Operating system and version: RockyLinux 8 and CentOS 8 (same behavior on both)
Apacheversion: Apache/2.4.37
PHP version: 8.0.12
SELinux enabled with targeted policy type

For testing purposes I try to configure nextcloud with the least amount of write-access via SELinux policys. config.php is labeled as read-only for httpd and write-access is set to false via nextcloud config.php. This seems to work fine (or at least I didn’t found any bad behavior yet). The only thing I’m confused about, is a by SELinux denied write-access to config.php via php-fpm user. This happens on each reload of a page (Login, dashboard, files, calendar and so on), practically on every click within the webgui of nextcloud. Why does php-fpm try to write to the config.php of nextcloud, how can i disable it if not necessary and where to look next for getting more details about those write-access? Could anyone provide me with further information where to look (logfiles etc.) to find out more about this behavior? Please note: In generall the installation seems to be ok and functional (file upload, sync, calendar via dav etc.). I’m just really interested in knowing what’s going on under the hood :slight_smile:

Also note: I’m testing this with a really basic SELINUX Setup:

  • Read-Only Access to the whole nextcloud root-folder including config/config.php, .htaccess and apps-folder (appstore is disabled via config.php)
  • Write-Access only to the nextcloud data folder which resists outside of the mentioned nextcloud root-folder
    Steps to replicate it:
  1. Fresh Installation of Nextcloud, label the root folder as followed (below you will find only the relevant label, not the others mentioned above):
    semanage fcontext -a -t httpd_sys_content_t ‘/var/www/sub-domains//html(/.*)?’
    restorecon -Rv ‘/var/www/sub-domains//html/’
  2. Restart apache:
    systemctl restart httpd
  3. Reload nextcloud webpage and check SELinux logs:
ausearch --checkpoint "./audit-checkpoint" -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -i
type=PROCTITLE msg=audit(11/04/21 16:19:51.464:2909) : proctitle=php-fpm: pool www 
type=SYSCALL msg=audit(11/04/21 16:19:51.464:2909) : arch=x86_64 syscall=access success=no exit=EACCES(Permission denied) a0=0x7fe676e69918 a1=W_OK a2=0x0 a3=0x7fe676e36440 items=0 ppid=21592 pid=22434 auid=unset uid=apache gid=apache euid=apache suid=apache fsuid=apache egid=apache sgid=apache fsgid=apache tty=(none) ses=unset comm=php-fpm exe=/usr/sbin/php-fpm subj=system_u:system_r:httpd_t:s0 key=(null) 
type=AVC msg=audit(11/04/21 16:19:51.464:2909) : avc:  denied  { write } for  pid=22434 comm=php-fpm name=config.php dev="dm-1" ino=1398378 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file permissive=0 

journalctl -t setroubleshoot --since=16:19:50
SELinux is preventing /usr/sbin/php-fpm from write access on the file config.php. For complete SELinux messages run: sealert -l 2b72413f-427d-4d22-8a24-662d8e26e6b5

sealert -l 2b72413f-427d-4d22-8a24-662d8e26e6b5
Additional Information:
Source Context                system_u:system_r:httpd_t:s0
Target Context                unconfined_u:object_r:httpd_sys_content_t:s0
Target Objects                config.php [ file ]
Source                        php-fpm
Source Path                   /usr/sbin/php-fpm
Port                          <Unknown>
Host                          <removed>
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-3.14.3-67.el8_4.2.noarch
Local Policy RPM              selinux-policy-targeted-3.14.3-67.el8_4.2.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     <removed>
Platform                      Linux <removed> 4.18.0-305.19.1.el8_4.x86_64 #1 SMP
                              Wed Sep 15 19:12:32 UTC 2021 x86_64 x86_64
Alert Count                   1697
First Seen                    2021-11-03 22:57:24 CET
Last Seen                     2021-11-04 16:24:51 CET
Local ID                      2b72413f-427d-4d22-8a24-662d8e26e6b5


nextcloud.log

Checked for any entrys with "config.php" or 1/- at the same time as the SELinux entry --> No results.

config.php

<?php
$CONFIG = array (
  'passwordsalt' => '<removed>',
  'secret' => '<removed>',
  'trusted_domains' => 
  array (
    0 => '<removed>',
  ),
  'datadirectory' => '/var/www/sub-domains/<removed>/data',
  'dbtype' => 'mysql',
  'version' => '22.2.0.2',
  'overwrite.cli.url' => 'http://localhost',
  'dbname' => 'nextcloud',
  'dbhost' => 'localhost',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => '<removed',
  'dbpassword' => '<removed>',
  'installed' => true,
  'has_internet_connection' => false,
  'config_is_read_only' => true,
  'appstoreenabled' => false,
  'default_phone_region' => '<removed>',
  'enable_previews' => false,
  'instanceid' => '<removed>',
);