Best posts made by Woti

Hello guys,
I stumbled over this side when I was searching about restoring Fedora filesystem permissions and how to backup and restore Nextcloud content.
I don't know how I got it done to change the whole filesystem permissions from standard to 777. I lost my root and user access too.
I got some information about to use those commands:

for p in $(rpm -qa); do rpm --setperms $p; done
for p in $(rpm -qa); do rpm --setugids $p; done

I lost my root and user access but I'd fix it with Fedoras rescue mode.
All the rpm packages are fixed as much I can see it but there are a lot of key files and files / directories which aren't fixed.
The Nextcloud data directory is untouched, it is mounted on a separat partition but the whole Nextcloud in /var/www/html/... has 777 now. I could fix this back to the right permissions, but anyway I have a feeling about that my system became unsecure.

My questions are:

1. Is there any way to get my system secure again?
2. In case I have to reinstall which is the best way to backup and restore Nextcloud? I have access to all files and /data is mounted on a separat partition.

Any help is appreciated.

Beste regards,
Woti

Finally, I got it! Nextcloud is up and running. It was litt of a mess.

1st of all the error [ssl:warn] AH01909: woti.dedyn.io:443:0 server certificate does NOT include an ID which matches the server namewas hard to figure out, but finally I found it in a .json file from Letsencrypt and as well in the localhost.crt.
When I installed Fedora I choosed woti as hostname. But just woti does not work as hostname while creating Letsencrypt certs. It has to be woti.domain.xxx. So I used my domain but I did not changed my hostname while creating my Letsencrypt certs. That's why I got an ID which not matched the servername.
I needed to create new certs.

2nd suddenly comes up a SELinux error about no access to /nextcloud/data. I needed to "Allow httpd to unified"

3th the tutorial I followed https://linuxize.com/post/secure-apache-with-let-s-encrypt-on-centos-8/ gaves me just redirection errors. I do not why. I had to use my old config files from c-rieger.com. I'll try again later.
Maybe I can post my conf files her and you guys can take a look?

4th I used APCu as memcache before. Now I had installed Redis but I did not changed it in the Nextcloud config file. That was the reason for internal server error. Redis gives me some warnings in the redis.log. I need to check this.

Hello from Norway
Born and grew up in Germany then moved to Norway. Nothing special to say about me.

Best regards,
Woti

Hei,

Is there no update of this script to work with Fedora 31 and Nextcloud 17?

Best regards,
Woti

I'll see soon. I've reinstalled Fedora 31 Server from scratch. I'm using newer and stronger certificates following those two guides:
https://linuxize.com/post/secure-apache-with-let-s-encrypt-on-centos-8/
https://riegers.in/nextcloud-installation-guide-ubuntu-18-04/

Next step is to restore Nextcloud DB and get Nextcloud up and running again. I'm not working with the server every day, that's why it takes some time

Best regards,
Woti

@DustinB3403 as much as I understand it, should it be enough with activating OnlyOffice and community document server.
For someone it is working, for someone else it's not working
Description
*The community document server is designed to make it easy to get OnlyOffice running in a Nextcloud instance without the need to setup an external document server, the community document server does not support all features of the official OnlyOffice document server and does not provide the same performance and scalability.

If you are setting up a larger instance of require the additional performance, please see https://onlyoffice.com for options for getting the official document server.

The community document server will automatically be configured if no other document server is configured for OnlyOffice.*

Finally I tried again. I removed all images and container and easyepg directory. I created a new directory in my /home/user/easyepg.
At first I run your SELinux command as root user. After that as user I run the script and I could successfully run the images without any SELinux errors

That's nice

I found out there was an image missing: easyepg.cron
In the script file https://raw.githubusercontent.com/dlueth/easyepg.minimal/master/init they use the flag --restart unless-stopped.

sh -c "docker create -l easyepg.minimal --name=easyepg.cron -e MODE=\"cron\" --restart unless-stopped ${OPTIONS} qoopido/easyepg.minimal:${TAG} 1> /dev/null"

This flag isn't supported by Podman.
I guess Podman won't start easyepg.cron after server restart?
Is there any solution?

I downloaded the script with wget and made it executable. I removed the flag --reload unless-stopped and it worked.
As it said, now I could convert the script to Portman and is there any way to get the SELinux label to work after reboot of the server?

Thanks a lot for your help so long @stacksofplates

@stacksofplates your semanage commands are working fine

As for now the server is rebooting once or twice in a month due updates. There's no big problem to start the service manually. Maybe one day we figure out why it isn't starting automatically.

Anyway. Thanx for your effort to get rid of the SElinux problem.

Finally I got it to work
I need to use httpd_log_t to get access through SELinux to the logfile for both httpd, php-fpm and fail2ban.
I tried and my test-IPs was banned

Finally I found the solution here on github: https://github.com/containers/libpod/issues/5494

I used podman v1.8.0 this time I generated the easyepg.service file with podman generate. There was a bug in this version which not generated default.target. In later version it is fixed. Now it is working

[Install]
WantedBy=multi-user.target default.target