I personally think it's essential to fix this in this package. If we don't then people install this package, start the client and it will fail without telling why (unless you start it from the console to see what's wrong). That's not why I as a user would expect from a package in EPEL.
I have very little experience with selinux in building rpm's, but it should be trivial to fix. If I have some spare time in the coming days I will try and make a suggestion.
This update has been submitted for testing by nonamedotc.
This update's test gating status has been changed to 'ignored'.
This update has been pushed to testing.
selinux deny: mprotect failed in ExecutableAllocator::makeExecutable: Permission denied
Bodhi is disabling automatic push to stable due to negative karma. The maintainer may push manually if they determine that the issue is not severe.
@marcovr - this may be due to differences in SELinux rules between epel and fedora. Not sure what nextcloud-client can do.
@nonamedotc : with setsebool selinuxuser_execmod=on -P it works. I have checked RHEL/Rocky 8 and selinuxuser_execmod is on by default.
I don't know the implications by setting the boolean to on when installing the nextcloud client but if Fedora 36, RHEL 8 have this boolan to on...
For the .spec file (not tested):
%global selinuxbooleans selinuxuser_execmod=on
%post %selinux_set_booleans -s %{selinuxtype} %{selinuxbooleans}
%postun %selinux_unset_booleans -s %{selinuxtype} %{selinuxbooleans}
I am not sure if I want to go about changing selinux booleans ...
I am not sure if this is even allowed in packaging guidelines
In Fedora, this value is on.
This may upto selinux policy maintainers to address and not nextcloud-client.
I agree, we should fix this on a more granular selinux way. I will see what is needed for nextcloud-client without setting the global boolean.
This seems to allow it but I cannot really check if it is the same as just allow it with the boolean.
============= unconfined_t ==============
!!!! This avc can be allowed using the boolean 'selinuxuser_execmod'
allow unconfined_t user_tmp_t:file execmod;
This update can be pushed to stable now if the maintainer wishes
Alright, I am going to push this to stable.
SELInux rules are beyond the scope of this specific package, IMO. What do you think?
I personally think it's essential to fix this in this package. If we don't then people install this package, start the client and it will fail without telling why (unless you start it from the console to see what's wrong). That's not why I as a user would expect from a package in EPEL.
I have very little experience with selinux in building rpm's, but it should be trivial to fix. If I have some spare time in the coming days I will try and make a suggestion.
I am eagerly awaiting a working version of nextcloud-client, any update? Cheers.
I am checking. i emailed the EPEL mailing list.
I am getting this built and will submit an update in the next day or two. It will be direct update to v3.6.0.
Sorry for the delay.
This update has been obsoleted by nextcloud-client-3.6.0-2.el9.