• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:
    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

How to get further with Plesk 12 incompatibility with CentOS 7

C

Christian_Heutger

Basic Pleskian
As of CentOS 7 the system comes shipped with selinux enabled by default. It has a reason, why distributions choose to enable selinux, switch to systemd etc., so it can't be the solution to disable selinux manually. So finally Plesk 12 must then be stated as incompatible with CentOS 7 or the paid RedHat Enterprise Linux 7 although the official documentation states different.

BUT there are some possibilities to get it somehow running (a bit), just requires always to perform

#audit2allow -a -M mypolicy
#semodule -i mypolicy.pp (maybe require to install policycoreutils-python via yum if not done yet)

It's also possible to see, what all get's wrong, so if you wonder, why fail2ban daemon fails, why proftpd does not create any log entries, why you aren't able to write to different locations or postfix fails to solve host names, just check the output of mypolicy.te (cat mypolicy.te) and see which policies are not set by Parallels. However, I opened also a CentOS bug, maybe CentOS is willing to do the job for Parallels/Odin. Here is a initial output after fresh update of selinux-policy with basic problems just after a reboot:

module mypolicy 1.0;



require {

type mail_spool_t;

type var_run_t;

type var_t;

type fail2ban_t;

type usr_t;

type postfix_postdrop_t;

type httpd_t;

type iptables_t;

type fail2ban_client_t;

type var_log_t;

type httpd_log_t;

type sendmail_t;

type httpd_sys_rw_content_t;

type cron_log_t;

type spamd_update_t;

type ftpd_t;

type httpd_sys_content_t;

type system_mail_t;

type spamd_t;

type dhcpc_t;

class sock_file { write create };

class lnk_file getattr;

class dir { write getattr read open search };

class file { write rename getattr read open ioctl };

}



#============= dhcpc_t ==============



#!!!! This avc is allowed in the current policy

allow dhcpc_t httpd_sys_content_t:file getattr;



#============= fail2ban_client_t ==============



#!!!! This avc is allowed in the current policy

allow fail2ban_client_t var_run_t:dir write;



#!!!! This avc is allowed in the current policy

allow fail2ban_client_t var_run_t:sock_file write;



#============= fail2ban_t ==============



#!!!! This avc is allowed in the current policy

allow fail2ban_t var_run_t:sock_file create;



#============= ftpd_t ==============



#!!!! This avc is allowed in the current policy

allow ftpd_t cron_log_t:file open;



#!!!! This avc is allowed in the current policy

allow ftpd_t httpd_log_t:dir { read getattr open search };



#!!!! This avc is allowed in the current policy

allow ftpd_t httpd_log_t:file read;



#!!!! This avc is allowed in the current policy

allow ftpd_t httpd_log_t:lnk_file getattr;



#============= httpd_t ==============



#!!!! This avc is allowed in the current policy

allow httpd_t httpd_log_t:dir read;



#!!!! This avc is allowed in the current policy

allow httpd_t mail_spool_t:file rename;



#!!!! This avc is allowed in the current policy

allow httpd_t var_log_t:file open;



#!!!! This avc is allowed in the current policy

allow httpd_t var_t:file { read write };



#============= iptables_t ==============



#!!!! This avc is allowed in the current policy

allow iptables_t httpd_log_t:file read;



#============= postfix_postdrop_t ==============



#!!!! This avc is allowed in the current policy

allow postfix_postdrop_t httpd_sys_rw_content_t:file write;



#============= sendmail_t ==============



#!!!! This avc is allowed in the current policy

allow sendmail_t var_t:file write;



#============= spamd_t ==============



#!!!! This avc is allowed in the current policy

allow spamd_t httpd_sys_content_t:file ioctl;



#============= spamd_update_t ==============



#!!!! This avc is allowed in the current policy

allow spamd_update_t httpd_sys_content_t:file open;



#============= system_mail_t ==============



#!!!! This avc is allowed in the current policy

allow system_mail_t httpd_sys_rw_content_t:file getattr;



#!!!! This avc is allowed in the current policy

allow system_mail_t usr_t:file write;
 
Hi Christian_Heutger,

sorry, but you declare something a "bug", which is only misconfiguration. Using SELinux with Plesk is indeed possible, but not recommended and you have to make sure, that you change/edit SELinux - policies on your very own, without the help of the Plesk, which doesn't replace a server administrator, it only makes his/her life/job easier.
 
Sorry, but I do not see any misconfiguration in doing a minimal install with standard settings, which have their sense. Plesk is supposed to be used instead of manually administrating the server, so then it should work or should not state, that they support a system, they don't with minimal standard settings. e.g. also other processes fail because of systemd be default with CentOS 7 now, do I need to manually change to SysVinit? Is this the idea of server automation?

It's like selling a navigation system for cars, but it only works, if you disable the airbag to work with particular cars. But for sure, you can take care by yourself not to be involved in a car crash.
 
Hi Christian_Heutger,

you are right to state
Christian_Heutger said:
Sorry, but I do not see any misconfiguration in doing a minimal install with standard settings, which have their sense
Click to expand...
but installing Plesk on your server isn't a standard for CentOS 7 and therefore standard/minimal configuration can and will lead to problems/issues, if you can't handle/edit/configure SELinux configurations and policies for your additional software. You will now have two possibilities: you either do without SELinux, or you learn how to configure SELinux to work with Plesk. Plesk itself isn't shipped with SELinux and it doesn't configure/modify it. If you think, that Plesk should as well implement own SELinux - configurations/modifications, you might vote for such a feature for upcoming Plesk versions at: http://plesk.uservoice.com

As I stated before, Plesk DOES work with SELinux, but you have to configure it in order to work with Plesk. The suggestion to disable SELinux is a short work-around, but you will find as well additional suggestions and work-arounds in the Odin/Parallels - Knowledge-Base ( examples: http://kb.odin.com/115299 - http://kb.odin.com/125072 - ... ), or here in the forums for several issues, or known problems.
 
You must log in or register to reply here.

Similar threads

H
selinux module
Replies
0
Views
1K
Heppi75
H
I
SELinux, PAM, ProFTPd and Plesk
Replies
4
Views
4K
Niek_Beernink
Niek_Beernink
A
How to add Centralized Slave DNS to Plesk Multi Server
Replies
0
Views
3K
Anton Akhtyamov
A
J
Plesk Onyx – Designed for Vultr.com
Replies
0
Views
3K
Joerg Strotmann
J
J
Plesk Onyx – Designed for Vultr.com
Replies
0
Views
3K
joerg
J
Back
Top