Hello guys,
I stumbled over this side when I was searching about restoring Fedora filesystem permissions and how to backup and restore Nextcloud content.
I don't know how I got it done to change the whole filesystem permissions from standard to 777. I lost my root and user access too.
I got some information about to use those commands:

for p in $(rpm -qa); do rpm --setperms $p; done
for p in $(rpm -qa); do rpm --setugids $p; done

I lost my root and user access but I'd fix it with Fedoras rescue mode.
All the rpm packages are fixed as much I can see it but there are a lot of key files and files / directories which aren't fixed.
The Nextcloud data directory is untouched, it is mounted on a separat partition but the whole Nextcloud in /var/www/html/... has 777 now. I could fix this back to the right permissions, but anyway I have a feeling about that my system became unsecure.

My questions are:

1. Is there any way to get my system secure again?
2. In case I have to reinstall which is the best way to backup and restore Nextcloud? I have access to all files and /data is mounted on a separat partition.

Any help is appreciated.

Beste regards,
Woti

Finally, I got it! Nextcloud is up and running. It was litt of a mess.

1st of all the error [ssl:warn] AH01909: woti.dedyn.io:443:0 server certificate does NOT include an ID which matches the server namewas hard to figure out, but finally I found it in a .json file from Letsencrypt and as well in the localhost.crt.
When I installed Fedora I choosed woti as hostname. But just woti does not work as hostname while creating Letsencrypt certs. It has to be woti.domain.xxx. So I used my domain but I did not changed my hostname while creating my Letsencrypt certs. That's why I got an ID which not matched the servername.
I needed to create new certs.

2nd suddenly comes up a SELinux error about no access to /nextcloud/data. I needed to "Allow httpd to unified"

3th the tutorial I followed https://linuxize.com/post/secure-apache-with-let-s-encrypt-on-centos-8/ gaves me just redirection errors. I do not why. I had to use my old config files from c-rieger.com. I'll try again later.
Maybe I can post my conf files her and you guys can take a look?

4th I used APCu as memcache before. Now I had installed Redis but I did not changed it in the Nextcloud config file. That was the reason for internal server error. Redis gives me some warnings in the redis.log. I need to check this.

Hello from Norway
Born and grew up in Germany then moved to Norway. Nothing special to say about me.

Best regards,
Woti

Hei,

Is there no update of this script to work with Fedora 31 and Nextcloud 17?

Best regards,
Woti

I'll see soon. I've reinstalled Fedora 31 Server from scratch. I'm using newer and stronger certificates following those two guides:
https://linuxize.com/post/secure-apache-with-let-s-encrypt-on-centos-8/
https://riegers.in/nextcloud-installation-guide-ubuntu-18-04/

Next step is to restore Nextcloud DB and get Nextcloud up and running again. I'm not working with the server every day, that's why it takes some time

Best regards,
Woti

@DustinB3403 as much as I understand it, should it be enough with activating OnlyOffice and community document server.
For someone it is working, for someone else it's not working
Description
*The community document server is designed to make it easy to get OnlyOffice running in a Nextcloud instance without the need to setup an external document server, the community document server does not support all features of the official OnlyOffice document server and does not provide the same performance and scalability.

If you are setting up a larger instance of require the additional performance, please see https://onlyoffice.com for options for getting the official document server.

The community document server will automatically be configured if no other document server is configured for OnlyOffice.*

Finally I tried again. I removed all images and container and easyepg directory. I created a new directory in my /home/user/easyepg.
At first I run your SELinux command as root user. After that as user I run the script and I could successfully run the images without any SELinux errors

That's nice

I found out there was an image missing: easyepg.cron
In the script file https://raw.githubusercontent.com/dlueth/easyepg.minimal/master/init they use the flag --restart unless-stopped.

sh -c "docker create -l easyepg.minimal --name=easyepg.cron -e MODE=\"cron\" --restart unless-stopped ${OPTIONS} qoopido/easyepg.minimal:${TAG} 1> /dev/null"

This flag isn't supported by Podman.
I guess Podman won't start easyepg.cron after server restart?
Is there any solution?

I downloaded the script with wget and made it executable. I removed the flag --reload unless-stopped and it worked.
As it said, now I could convert the script to Portman and is there any way to get the SELinux label to work after reboot of the server?

Thanks a lot for your help so long @stacksofplates

@stacksofplates your semanage commands are working fine

As for now the server is rebooting once or twice in a month due updates. There's no big problem to start the service manually. Maybe one day we figure out why it isn't starting automatically.

Anyway. Thanx for your effort to get rid of the SElinux problem.

Finally I got it to work
I need to use httpd_log_t to get access through SELinux to the logfile for both httpd, php-fpm and fail2ban.
I tried and my test-IPs was banned

oookkaayyyy I'll try with a VM for the proxy

Hello again

@Mario-Jakovina:
Because one domain is intended for everyday use and the other for testing purposes. The domain for everyday use has been in use for a few years. This domain is used for Debian with Nextcloud. Since Nextcloud is developing very quickly, I would like to have an extra VM for testing purposes.
Since I also need ports 80 and 443 from the outside for testing, I have to use a reverse proxy that routes the requests from the same external IP inside to the correct local IPs of the corresponding VMs.
That's why there are 2 different DynDNS domains.
Or, perhaps I am expressing myself incorrectly. I mean ONE Dyndns domain with a subdomain. For example, the main domain is <mycloud.home-webserver.no> and the subdomain is <mycloud-testing.home-webserver.no>

Yes, I tried bridge mode. That hadn't worked. But I found the error at least and the bridge between the host and the VMs works now. I can ping the VMs from the host and vice versa, with IP address and domain name.

However, I can only reach the VMs via their local IP address, not via the domains when using a browser.

@scottalanmiller
Because I thought it was easier. I didn't want another VM just because of HAProxy. That's even more maintenance work.
I understand what you mean about the host should remain isolated. That's how it has been so far.
Now with the new configuration it is no longer isolated, that's true. I agree with you, it is a security risk.
On the other hand, I don't want to set up yet another physical device for the HAProxy either.

What's the best match here?

Hei,

I am running the latest Fedora 39 Server Edition with one VM as Qemu/KVM. The VM is connected to the network via “Direct Attachment”. A Debian 11 Linux with Nextcloud is running in the VM.
The data traffic is sent from the router directly to the local IP of the VM for ports 80 and 443. For the WAN IP I use a DynDNS service.
Since the VM is connected to the host's network device via "direct attachment", the host and the VM are isolated from each other. Everything works great. The local IP range I can use is 10.0.0.1 to 10.0.0.137. 10.0.0.138 is the router.
So much for the basic configuration.

I would now like to add one or two more VMs to the host via Qemu/KVM. These should also be reachable from outside.
I installed HAProxy on the Fedora host and configured it accordingly. "Direct Attachment" between host and VM does not work with HAProxy. I tried with "Virtual Network" and "Bridge to LAN". For both, a new local network with IP range 192.168.122.x is created.
The HAProxy finds the two VMs. With my DynDNS provider I have created corresponding domains for the respective VMs, which are updated via ddclient. The problem is that the VMs cannot be reached from outside. I can ping them locally.
I think the problem lies with the bridge between host and VM's.
If I install HAProxy on a separate PC and connect the VMs to the host via "Direct Attachment", the connection from outside works. But I don't want to use an extra PC just for the HAProxy. Surely this must also work with my Fedora Host Server?
Google and all AI's couldn't help me.
I hope human intelligence can help you.

Any help is greatly appreciated.

I see I haven't tried your solution yet. But I did read about your kind of solution on Redhat Access sites.
The case with default.target is that, if podman containers runs as user they have no access on multi-user.target through systemd. If I did understand right That's why you have to use default.target instead.

I'll try your solution in a VM soonly.

Finally I found the solution here on github: https://github.com/containers/libpod/issues/5494

I used podman v1.8.0 this time I generated the easyepg.service file with podman generate. There was a bug in this version which not generated default.target. In later version it is fixed. Now it is working

[Install]
WantedBy=multi-user.target default.target

@stacksofplates said in Fedora 31 Server, podman and SELinux:

@Woti said in Fedora 31 Server, podman and SELinux:

Hei, I wanted to try your solution. Først, I wanted to run meg container setup but I get this error:

systemctl --user status container-easyepg.service
Failed to connect to bus: No such file or directory

I haven't changed anything since the last time and the container file exists...
I can start it in Cockpit but not in the console. Strange...

I figured out: I need to issue the above command as user not as root.
Is it wrong to issuer this command as user? I setted up podman to use easyepg as user not as root.
Maybe that's why the container not starts during boot?

Which podman owner are you using @stacksofplates : user or root?

I'm using user but not that way. I put the service in /etc/systemd/system and set a user in the unit file. So I still start it with sudo systemctl restart plex but systemd uses the user defined in the unit file to run the service.

Okay. I have mine in /home/user/.config... one or another hidden directory created by podman generate commando.
Stupid question maybe: but what is the unit file?

Finally I got it to work
I need to use httpd_log_t to get access through SELinux to the logfile for both httpd, php-fpm and fail2ban.
I tried and my test-IPs was banned

Hei, I wanted to try your solution. Først, I wanted to run meg container setup but I get this error:

systemctl --user status container-easyepg.service
Failed to connect to bus: No such file or directory

I haven't changed anything since the last time and the container file exists...
I can start it in Cockpit but not in the console. Strange...

I figured out: I need to issue the above command as user not as root.
Is it wrong to issuer this command as user? I setted up podman to use easyepg as user not as root.
Maybe that's why the container not starts during boot?

Which podman owner are you using @stacksofplates : user or root?

I used this command to give apache og php-fpm read and write access to the logfile

semanage fcontext -a -t httpd_sys_rw_content_t '/var/log/nextcloud(/.*)?'
restorecon -Rv '/var/log/nextcloud/'

But how to give fail2ban access through SElinux?
Using fail2ban_log_t as descriped here https://linux.die.net/man/8/fail2ban_selinux is not working.
Of course I can remove the above SElinux file context and issuer:

semanage fcontext -a -t fail2ban_log_t '/var/log/nextcloud(/.*)?'
restorecon -Rv '/var/log/nextcloud/'

This way I get read write access to the nextcloud logfile for fail2ban but not til apache php-fpm anymore.
It is confusing.

Now I get SELinux error: SELinux prevents f2b / f.nextcloud from accessing the nextcloud directory with search access.
My nextcloud.log file is in /var/log/nextcloud/nextcloud.log