Nextcloud version: 22.2.0 (fresh installation)
Operating system and version: RockyLinux 8 and CentOS 8 (same behavior on both)
Apacheversion: Apache/2.4.37
PHP version: 8.0.12
SELinux enabled with targeted policy type
For testing purposes I try to configure nextcloud with the least amount of write-access via SELinux policys. config.php is labeled as read-only for httpd and write-access is set to false via nextcloud config.php. This seems to work fine (or at least I didn’t found any bad behavior yet). The only thing I’m confused about, is a by SELinux denied write-access to config.php via php-fpm user. This happens on each reload of a page (Login, dashboard, files, calendar and so on), practically on every click within the webgui of nextcloud. Why does php-fpm try to write to the config.php of nextcloud, how can i disable it if not necessary and where to look next for getting more details about those write-access? Could anyone provide me with further information where to look (logfiles etc.) to find out more about this behavior? Please note: In generall the installation seems to be ok and functional (file upload, sync, calendar via dav etc.). I’m just really interested in knowing what’s going on under the hood
Also note: I’m testing this with a really basic SELINUX Setup:
- Read-Only Access to the whole nextcloud root-folder including config/config.php, .htaccess and apps-folder (appstore is disabled via config.php)
- Write-Access only to the nextcloud data folder which resists outside of the mentioned nextcloud root-folder
Steps to replicate it:
- Fresh Installation of Nextcloud, label the root folder as followed (below you will find only the relevant label, not the others mentioned above):
semanage fcontext -a -t httpd_sys_content_t ‘/var/www/sub-domains//html(/.*)?’
restorecon -Rv ‘/var/www/sub-domains//html/’ - Restart apache:
systemctl restart httpd - Reload nextcloud webpage and check SELinux logs:
ausearch --checkpoint "./audit-checkpoint" -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -i
type=PROCTITLE msg=audit(11/04/21 16:19:51.464:2909) : proctitle=php-fpm: pool www
type=SYSCALL msg=audit(11/04/21 16:19:51.464:2909) : arch=x86_64 syscall=access success=no exit=EACCES(Permission denied) a0=0x7fe676e69918 a1=W_OK a2=0x0 a3=0x7fe676e36440 items=0 ppid=21592 pid=22434 auid=unset uid=apache gid=apache euid=apache suid=apache fsuid=apache egid=apache sgid=apache fsgid=apache tty=(none) ses=unset comm=php-fpm exe=/usr/sbin/php-fpm subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(11/04/21 16:19:51.464:2909) : avc: denied { write } for pid=22434 comm=php-fpm name=config.php dev="dm-1" ino=1398378 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file permissive=0
journalctl -t setroubleshoot --since=16:19:50
SELinux is preventing /usr/sbin/php-fpm from write access on the file config.php. For complete SELinux messages run: sealert -l 2b72413f-427d-4d22-8a24-662d8e26e6b5
sealert -l 2b72413f-427d-4d22-8a24-662d8e26e6b5
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context unconfined_u:object_r:httpd_sys_content_t:s0
Target Objects config.php [ file ]
Source php-fpm
Source Path /usr/sbin/php-fpm
Port <Unknown>
Host <removed>
Source RPM Packages
Target RPM Packages
SELinux Policy RPM selinux-policy-targeted-3.14.3-67.el8_4.2.noarch
Local Policy RPM selinux-policy-targeted-3.14.3-67.el8_4.2.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name <removed>
Platform Linux <removed> 4.18.0-305.19.1.el8_4.x86_64 #1 SMP
Wed Sep 15 19:12:32 UTC 2021 x86_64 x86_64
Alert Count 1697
First Seen 2021-11-03 22:57:24 CET
Last Seen 2021-11-04 16:24:51 CET
Local ID 2b72413f-427d-4d22-8a24-662d8e26e6b5
nextcloud.log
Checked for any entrys with "config.php" or 1/- at the same time as the SELinux entry --> No results.
config.php
<?php
$CONFIG = array (
'passwordsalt' => '<removed>',
'secret' => '<removed>',
'trusted_domains' =>
array (
0 => '<removed>',
),
'datadirectory' => '/var/www/sub-domains/<removed>/data',
'dbtype' => 'mysql',
'version' => '22.2.0.2',
'overwrite.cli.url' => 'http://localhost',
'dbname' => 'nextcloud',
'dbhost' => 'localhost',
'dbport' => '',
'dbtableprefix' => 'oc_',
'mysql.utf8mb4' => true,
'dbuser' => '<removed',
'dbpassword' => '<removed>',
'installed' => true,
'has_internet_connection' => false,
'config_is_read_only' => true,
'appstoreenabled' => false,
'default_phone_region' => '<removed>',
'enable_previews' => false,
'instanceid' => '<removed>',
);