[BUG?] Wrong selinux contect {WEBSPACEROOT}/tmp/

LinqLOL · Oct 8, 2012

Hi,

it seems {WEBSPACEROOT}/tmp/ has the wrong type context for SELinux. On site creation it has unconfined_u

bject_r:user_home_t which makes it impossible for php (fcgi) to write session info to. I changed the type context to tmp_t and now it works. But this is a manual job :-(

Greets.

IgorG · Oct 8, 2012

Could you please be more specific and describe this problem with more details? How and where it can be reproduced? Step-by-step instruction would be useful.

LinqLOL · Oct 8, 2012

Sure!

Test Code

<?php
session_start();
$_SESSION['test'] = "TEST";
session_write_close();
?>.

PHP.INI

session.save_path = "/var/www/vhosts/xxxxxx.nl/tmp/"

Symptoms in error_log of site:

[Mon Oct 08 08:58:10 2012] [warn] [client X.X.X.X] mod_fcgid: stderr: PHP Warning: session_start(): open(/var/www/vhosts/tc-webshop.nl/tmp//sess_vl738sb6hp0v43nr61aug07ma6, O_RDWR) failed: Permission denied (13) in /var/www/vhosts/xxxxxxx.nl/httpdocs/wp-content/plugins/woocommerce/woocommerce.php on line 138
[Mon Oct 08 08:58:10 2012] [warn] [client X.X.X.X] mod_fcgid: stderr: PHP Warning: Unknown: open(/var/www/vhosts/xxxxxx.nl/tmp//sess_vl738sb6hp0v43nr61aug07ma6, O_RDWR) failed: Permission denied (13) in Unknown on line 0

Selinux audit

type=AVC msg=audit(1349685910.014:8256): avc: denied { write } for pid=28491 comm="php-cgi" name="tmp" dev=sda3 ino=9832561 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u

bject_r:user_home_t:s0 tclass=dir

LinqLOL · Oct 17, 2012

Temp fix

If people having the same problems, i made a small work-around script till Parallels fixes this.
Add the following script to a crontab and execute it once in 2 minutes or so.

Code:

#! /bin/bash
DIR="/var/www/vhosts"
cd $DIR
while read admin; do.
    if tmp="$DIR/$admin/tmp"; [[ -d "$tmp" ]]; then
         # tmp directorie does exist, change context
         echo "Fixing $DIR/$admin/tmp directory";
         chcon -t tmp_t $DIR/$admin/tmp
    fi
done < <( ls -d *.* )

Andrew_Pa · Oct 27, 2012

I confirm that I have the same problem.

Please fix it!

LinqLOL · Jan 22, 2013

Well seems very hard for Parallels to add it and in general with selinux issues we have to find out our own sollutions

Instead of using the script above the following commands will be better:

semanage fcontext -a -t tmp_t "/var/www/vhosts/([^/]*)/tmp"
semanage fcontext -a -t tmp_t "/var/www/vhosts/([^/]*)/var/tmp"

Nikolay. · Feb 27, 2013

LinqLOL, do you have addon domains or additional ftp users for a webspace with incorrect selinux contexts? Are there any system users that have home directory inside your webspace (grep /etc/passwd for that). Please post all of them with their home directories (if you're hesitant to provide such information - I'm interested only in the directory nestedness properties, so you can change directory names).

LinqLOL · Mar 1, 2013

@nikolay The servers I saw these problem only have 1 main domain and not addon domains. And no system users with home directory in a webroot.

LinqLOL · May 22, 2013

@parallels

I see this issue is fixed in 11.5.25 (http://download1.parallels.com/Ples...l-11.1-linux-updates-release-notes.html#11525). Will this be backported to the current version too?

[BUG?] Wrong selinux contect {WEBSPACEROOT}/tmp/

LinqLOL

Basic Pleskian

IgorG

Plesk addicted!

LinqLOL

Basic Pleskian

LinqLOL

Basic Pleskian

Andrew_Pa

Regular Pleskian

LinqLOL

Basic Pleskian

Nikolay.

Silver Pleskian

LinqLOL

Basic Pleskian

LinqLOL

Basic Pleskian

Similar threads