• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

SELinux horror

B

bluik

Basic Pleskian
Well, well..


Here we are, at version "10.4.4" and still Plesk cannot play nicely with SELinux. Oh come on Parallels.. Upgrade from 10.3.x to 10.4.4:

type=AVC msg=audit(1327633857.275:37059): avc: denied { append } for pid=28059 comm="httpd" path="/usr/local/psa/tmp/rc_actions.log" dev=dm-0 ino=375051 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:eek:bject_r:usr_t:s0 tclass=file
type=AVC msg=audit(1327633945.711:37060): avc: denied { read append } for pid=28668 comm="named" path="/usr/local/psa/tmp/rc_actions.log" dev=dm-0 ino=375051 scontext=system_u:system_r:named_t:s0 tcontext=system_u:eek:bject_r:usr_t:s0 tclass=file
type=AVC msg=audit(1327634007.558:37067): avc: denied { read } for pid=29165 comm="postalias" name="tmp" dev=dm-0 ino=64822 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:eek:bject_r:tmp_t:s0 tclass=lnk_file
type=AVC msg=audit(1327634022.751:37068): avc: denied { read } for pid=29271 comm="postalias" name="tmp" dev=dm-0 ino=64822 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:eek:bject_r:tmp_t:s0 tclass=lnk_file
type=AVC msg=audit(1327634040.943:37073): avc: denied { write } for pid=29613 comm="postfix" path="/usr/local/psa/var/psasem.sem" dev=dm-0 ino=408094 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:eek:bject_r:var_t:s0 tclass=file
type=AVC msg=audit(1327634040.943:37073): avc: denied { append } for pid=29613 comm="postfix" path="/usr/local/psa/admin/logs/panel.log" dev=dm-0 ino=424179 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:eek:bject_r:usr_t:s0 tclass=file
type=AVC msg=audit(1327634056.964:37074): avc: denied { getattr } for pid=29964 comm="httpd" path="/var/www/vhosts/REDACTED.com/conf/13276340520.37649200_httpd.include" dev=dm-2 ino=1313871 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:eek:bject_r:user_home_dir_t:s0 tclass=file
type=AVC msg=audit(1327634056.967:37075): avc: denied { read } for pid=29964 comm="httpd" name="13276340520.37649200_httpd.include" dev=dm-2 ino=1313871 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:eek:bject_r:user_home_dir_t:s0 tclass=file
type=AVC msg=audit(1327634056.967:37075): avc: denied { open } for pid=29964 comm="httpd" name="13276340520.37649200_httpd.include" dev=dm-2 ino=1313871 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:eek:bject_r:user_home_dir_t:s0 tclass=file
type=AVC msg=audit(1327634079.294:37089): avc: denied { getattr } for pid=30626 comm="httpd" path="/var/www/vhosts/REDACTED.com/conf/13276340520.37649200_httpd.include" dev=dm-2 ino=1313871 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:eek:bject_r:user_home_dir_t:s0 tclass=file
type=AVC msg=audit(1327634079.294:37090): avc: denied { read } for pid=30626 comm="httpd" name="13276340520.37649200_httpd.include" dev=dm-2 ino=1313871 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:eek:bject_r:user_home_dir_t:s0 tclass=file
type=AVC msg=audit(1327634080.495:37091): avc: denied { read } for pid=30628 comm="smtpd" name="tmp" dev=dm-0 ino=64822 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:eek:bject_r:tmp_t:s0 tclass=lnk_file
type=AVC msg=audit(1327634080.495:37092): avc: denied { read } for pid=30628 comm="smtpd" name="tmp" dev=dm-0 ino=64822 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:eek:bject_r:tmp_t:s0 tclass=lnk_file
type=AVC msg=audit(1327634080.496:37093): avc: denied { read } for pid=30628 comm="smtpd" name="tmp" dev=dm-0 ino=64822 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:eek:bject_r:tmp_t:s0 tclass=lnk_file
type=AVC msg=audit(1327634080.496:37094): avc: denied { read } for pid=30628 comm="smtpd" name="tmp" dev=dm-0 ino=64822 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:eek:bject_r:tmp_t:s0 tclass=lnk_file
type=AVC msg=audit(1327634080.498:37095): avc: denied { read } for pid=30628 comm="smtpd" name="tmp" dev=dm-0 ino=64822 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:eek:bject_r:tmp_t:s0 tclass=lnk_file
type=AVC msg=audit(1327634080.498:37096): avc: denied { read } for pid=30628 comm="smtpd" name="tmp" dev=dm-0 ino=64822 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:eek:bject_r:tmp_t:s0 tclass=lnk_file
type=AVC msg=audit(1327634080.499:37097): avc: denied { read } for pid=30628 comm="smtpd" name="tmp" dev=dm-0 ino=64822 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:eek:bject_r:tmp_t:s0 tclass=lnk_file
type=AVC msg=audit(1327634080.499:37098): avc: denied { read } for pid=30628 comm="smtpd" name="tmp" dev=dm-0 ino=64822 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:eek:bject_r:tmp_t:s0 tclass=lnk_file
type=AVC msg=audit(1327634080.500:37099): avc: denied { read } for pid=30628 comm="smtpd" name="tmp" dev=dm-0 ino=64822 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:eek:bject_r:tmp_t:s0 tclass=lnk_file
type=AVC msg=audit(1327634080.500:37100): avc: denied { read } for pid=30628 comm="smtpd" name="tmp" dev=dm-0 ino=64822 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:eek:bject_r:tmp_t:s0 tclass=lnk_file
type=AVC msg=audit(1327634081.019:37101): avc: denied { read } for pid=30631 comm="trivial-rewrite" name="tmp" dev=dm-0 ino=64822 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:eek:bject_r:tmp_t:s0 tclass=lnk_file
type=AVC msg=audit(1327634081.020:37102): avc: denied { read } for pid=30631 comm="trivial-rewrite" name="tmp" dev=dm-0 ino=64822 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:eek:bject_r:tmp_t:s0 tclass=lnk_file
type=AVC msg=audit(1327634081.022:37103): avc: denied { read } for pid=30631 comm="trivial-rewrite" name="tmp" dev=dm-0 ino=64822 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:eek:bject_r:tmp_t:s0 tclass=lnk_file
type=AVC msg=audit(1327634081.022:37104): avc: denied { read } for pid=30631 comm="trivial-rewrite" name="tmp" dev=dm-0 ino=64822 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:eek:bject_r:tmp_t:s0 tclass=lnk_file
type=AVC msg=audit(1327634081.023:37105): avc: denied { read } for pid=30631 comm="trivial-rewrite" name="tmp" dev=dm-0 ino=64822 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:eek:bject_r:tmp_t:s0 tclass=lnk_file
type=AVC msg=audit(1327634081.023:37106): avc: denied { read } for pid=30631 comm="trivial-rewrite" name="tmp" dev=dm-0 ino=64822 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:eek:bject_r:tmp_t:s0 tclass=lnk_file
type=AVC msg=audit(1327634081.024:37107): avc: denied { read } for pid=30631 comm="trivial-rewrite" name="tmp" dev=dm-0 ino=64822 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:eek:bject_r:tmp_t:s0 tclass=lnk_file
type=AVC msg=audit(1327634081.024:37108): avc: denied { read } for pid=30631 comm="trivial-rewrite" name="tmp" dev=dm-0 ino=64822 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:eek:bject_r:tmp_t:s0 tclass=lnk_file
type=AVC msg=audit(1327634081.025:37109): avc: denied { read } for pid=30631 comm="trivial-rewrite" name="tmp" dev=dm-0 ino=64822 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:eek:bject_r:tmp_t:s0 tclass=lnk_file
type=AVC msg=audit(1327634081.025:37110): avc: denied { read } for pid=30631 comm="trivial-rewrite" name="tmp" dev=dm-0 ino=64822 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:eek:bject_r:tmp_t:s0 tclass=lnk_file
type=AVC msg=audit(1327634081.144:37111): avc: denied { read } for pid=30632 comm="cleanup" name="tmp" dev=dm-0 ino=64822 scontext=system_u:system_r:postfix_cleanup_t:s0 tcontext=system_u:eek:bject_r:tmp_t:s0 tclass=lnk_file
type=AVC msg=audit(1327634081.144:37112): avc: denied { read } for pid=30632 comm="cleanup" name="tmp" dev=dm-0 ino=64822 scontext=system_u:system_r:postfix_cleanup_t:s0 tcontext=system_u:eek:bject_r:tmp_t:s0 tclass=lnk_file
[at this point I do setenforce 0 since it is a testing server]

I saw no mention about fixing SELinux policies in any 10.4 release notes or 10.4 MU release notes. Some things that are failing:
- AWStats spews around dozen errors each day when its daily run is done, webalizer only few
- Obviously as seen from above, updating is a mess - I hope the update resulted in an actually working installation
- Subdomains content ("httpdocs") folder&contents are created with wrong label, so FTP gives permission errors
- FastCGI&PHP sessions have wrong labels/permissions (I wrote a thread & workaround about this, I bet the update broke it again..)
- I am sure there are more but I am just SO ABSOLUTELY fed up with Plesk that I'll leave it at here
 
Last edited:
cd /root
grep avc /var/log/audit > avc.log This copies the audits into avc.log
audit2allow -M local -i avi.log This creates a local.pp selinux policy

Follow the output will tell you how to load in the local.pp policy
 
I know very well how to make full custom SELinux policies/modules, not to mention audit2allow.
My problem is that Plesk does not do this out of box. It should. Definitely. Don't you agree??
 
105547111 said:
grep avc /var/log/audit > avc.log
Click to expand...
For reference to everyone else, do not do this under any, and I mean ANY circumstances. This would allow each and every policy violation in the log to be permitted! Be it from Plesk or from malicious user!!

[edited out some unnecessary attitude problems]
 
Last edited:
Well I would assume that anyone wanting to play with policy would understand and read the audits.

And anyone setting the policy to permissive or disables is a total idiot.

So excuse me for assuming a little bit of bloody intelligence! And your all mighty 18 posts makes you then...
 
My sincere apologies for the attitude, it has been too long days for too long, without going to the details (Plesk being one of them). It's no excuse really. Next time I'll check my medicine before posting, ok?

Point was that many people just copy-paste the commands without understanding the repercussions.
 
Last edited:
No problems caught me at a bad time.

In my system most policy violations are just trivial to do with the file context.

Too many just disable selinux or set to permissive and that's about the worst you can do.
I just assumed anyone would then vi the avc.log and see. Most I find are duplicates.

You can always remove the local.pp policy, it's not like it's permanent.

If you want I could submit my edited and duplicate removed avc.log and ask for a plesk policy update.

Cheers,
David
 
You must log in or register to reply here.

Similar threads

M
Resolved Failed to start The Apache HTTP Server: SELinux impedisce a /usr/sbin/httpd un accesso open su file /var/log/modsec_audit.log. -- SOLVED --
Replies
0
Views
2K
mmcomputers
M
danami
Forwarded to devs SELinux errors due to ARC mail handler
Replies
2
Views
939
Kaspar@Plesk
Kaspar@Plesk
carini
Question network.audit in journal log
Replies
2
Views
410
carini
carini
K
Issue Apparmor denied named
Replies
5
Views
5K
LarsenD
L
E
Resolved /etc/named.conf: permission denied
Replies
1
Views
4K
Erwan
E
Back
Top