Updater fails with write permissions to main folder files (SELinux)

przemhb · March 27, 2022, 9:50pm

Nextcloud version: 22.1.1
Operating system and version: Fedora 34
Apache or nginx version: Apache 2.4.51
PHP version: 7.4.27*

When I try to use updater to update Nextcloud I get an error as follows:

## Check for write permissions
The following places can not be written to:
  * /usr/share/nextcloud/updater/../version.php
  * /usr/share/nextcloud/updater/../COPYING
  * /usr/share/nextcloud/updater/../public.php
  * /usr/share/nextcloud/updater/../cron.php
  * /usr/share/nextcloud/updater/../occ
  * /usr/share/nextcloud/updater/../AUTHORS
  * /usr/share/nextcloud/updater/../status.php
  * /usr/share/nextcloud/updater/../index.php
  * /usr/share/nextcloud/updater/../remote.php
  * /usr/share/nextcloud/updater/../console.php
  * /usr/share/nextcloud/updater/../index.html
  * /usr/share/nextcloud/updater/../robots.txt

All the files are owned by Apache (apache:apache) and its owner has rw permissions.
At the time I start the updater SELinux claims it has found an error: php-fpm tried to gain write access to one of the files given above. It recommends to solve it by issuing:

semanage fcontext -a -t FILE_TYPE 'filename'

followed by

restorecon -v 'filename'

I have tried this approach, but without success:

semanage fcontext -a -t httpd_sys_rw_content_t 'version.php'
restorecon -v 'version.php'

How to solve it? I will be thankful for your kind advice.

The output of your Nextcloud log in Admin > Logging:

Logs are empty.

The output of your config.php file in /usr/share/nextcloud (I’ve removed some parts):

<?php
$CONFIG = array (
  'log_type' => 'syslog',
  'datadirectory' => '/mnt/fedora-fedora--home--extra/nextcloud-data/',
  'updatechecker' => false,
  'check_for_working_htaccess' => false,
  'asset-pipeline.enabled' => false,
  'assetdirectory' => '/var/lib/nextcloud',
  'apps_paths' => 
  array (
    0 => 
    array (
      'path' => '/usr/share/nextcloud/apps',
      'url' => '/apps',
      'writable' => false,
    ),
    1 => 
    array (
      'path' => '/var/lib/nextcloud/apps',
      'url' => '/apps-appstore',
      'writable' => true,
    ),
  ),
  'trusted_domains' => 
  array (
    0 => 'holubowski.com',
  ),
  'dbtype' => 'mysql',
  'version' => '22.1.1.2',
  'overwrite.cli.url' => 'https://holubowski.com/nextcloud',
  'loglevel' => 0,
  'app_install_overwrite' => 
  array (
    0 => 'joplin',
    1 => 'checksum',
  ),
  'default_phone_region' => 'pl',
  'memcache.local' => '\\OC\\Memcache\\APCu',
);

The output of your Apache log in /var/log/httpd:

ssl_access_log
::1 - - [27/Mar/2022:23:32:07 +0200] "GET /nextcloud/ocs/v2.php/apps/notifications/api/v2/notifications HTTP/1.1" 304 -
::1 - - [27/Mar/2022:23:32:37 +0200] "GET /nextcloud/ocs/v2.php/apps/notifications/api/v2/notifications HTTP/1.1" 304 -
::1 - - [27/Mar/2022:23:32:41 +0200] "PUT /nextcloud/index.php/apps/user_status/heartbeat HTTP/1.1" 200 114
::1 - - [27/Mar/2022:23:32:41 +0200] "GET /nextcloud/index.php/apps/updatenotification/credentials HTTP/1.1" 200 87
::1 - - [27/Mar/2022:23:32:42 +0200] "POST /nextcloud/updater/ HTTP/1.1" 200 23029
::1 - - [27/Mar/2022:23:32:44 +0200] "GET /favicon.ico HTTP/1.1" 500 527
::1 - - [27/Mar/2022:23:32:45 +0200] "POST /nextcloud/updater/index.php HTTP/1.1" 200 16
::1 - - [27/Mar/2022:23:32:46 +0200] "POST /nextcloud/updater/index.php HTTP/1.1" 500 628

ssl_request_log
[27/Mar/2022:23:32:07 +0200] ::1 TLSv1.3 TLS_AES_256_GCM_SHA384 "GET /nextcloud/ocs/v2.php/apps/notifications/api/v2/notifications HTTP/1.1" -
[27/Mar/2022:23:32:37 +0200] ::1 TLSv1.3 TLS_AES_256_GCM_SHA384 "GET /nextcloud/ocs/v2.php/apps/notifications/api/v2/notifications HTTP/1.1" -
[27/Mar/2022:23:32:41 +0200] ::1 TLSv1.3 TLS_AES_256_GCM_SHA384 "PUT /nextcloud/index.php/apps/user_status/heartbeat HTTP/1.1" 114
[27/Mar/2022:23:32:41 +0200] ::1 TLSv1.3 TLS_AES_256_GCM_SHA384 "GET /nextcloud/index.php/apps/updatenotification/credentials HTTP/1.1" 87
[27/Mar/2022:23:32:42 +0200] ::1 TLSv1.3 TLS_AES_256_GCM_SHA384 "POST /nextcloud/updater/ HTTP/1.1" 23029
[27/Mar/2022:23:32:44 +0200] ::1 TLSv1.3 TLS_AES_256_GCM_SHA384 "GET /favicon.ico HTTP/1.1" 527
[27/Mar/2022:23:32:45 +0200] ::1 TLSv1.3 TLS_AES_256_GCM_SHA384 "POST /nextcloud/updater/index.php HTTP/1.1" 16
[27/Mar/2022:23:32:46 +0200] ::1 TLSv1.3 TLS_AES_256_GCM_SHA384 "POST /nextcloud/updater/index.php HTTP/1.1" 628

przemhb · March 27, 2022, 10:01pm

Eventually I issued:

semanage fcontext -a -t httpd_sys_rw_content_t '/usr/share/nextcloud(/.*)?'
restorecon -Rv '/usr/share/nextcloud/'

and the updater passed the check for write permissions, but I doubt it is wise to leave it like this.
What would you recommend?

The updater failed later at “Move new files in place”. It deleted some files and put Nextcloud in maintenance mode.
Is it possible to manually move those files or revert somehow?
Is there a log, where I could check why exactly it has failed with the move operation?

przemhb · March 27, 2022, 10:47pm

In /var/log/php-fpm I have found the following error:

[27-Mar-2022 22:09:41 UTC] PHP Warning:  require(/usr/share/nextcloud/updater/../version.php): failed to open stream: No such file or directory in /usr/share/nextcloud/updater/index.php on line 792
[27-Mar-2022 22:09:41 UTC] PHP Fatal error:  require(): Failed opening required '/usr/share/nextcloud/updater/../version.php' (include_path='.:/usr/share/pear:/usr/share/php') in /usr/share/nextcloud/updater/index.php on line 792

So I copied the
/mnt/fedora-fedora–home–extra/nextcloud-data/updater-oczffxf2tc6v/downloads/nextcloud/
to
/usr/share/nextcloud/

then turned off maintenance mode:

sudo -u apache php occ maintenance:mode --off
An unhandled exception has been thrown:
OC\HintException: [0]: Memcache \OC\Memcache\APCu not available for local cache (Is the matching PHP module installed and enabled?)

Switched off maintenance mode in config.php, reloaded Nextcloud and web updater started its work. It successfully finished it.

Now I am wondering how to solve those issues to be able to use the updater without any glitches…