Plesk 10.4.4 with SELinux & /usr/local/psa/bin/chrootsh

[C.F]

this makes ssh login impossible...

ssh abc@yxz
Last login: Thu Jan 19 10:32:19 2012 from ...
execv("/bin/bash") failed
system error: Permission denied

 

[IgorG]

Need more details how it can be reproduced, logs, etc.

 

[C.F]

Jan 19 12:09:15 h1980282 sshd[27961]: Accepted publickey for bmweb from xxx.xxx.xxx.xxx port 12493 ssh2
Jan 19 12:09:15 h1980282 sshd[27961]: pam_unix(sshd:session): session opened for user bmweb by (uid=0)
Jan 19 12:09:15 h1980282 sshd[27961]: error: ssh_selinux_setup_pty: security_compute_relabel: Invalid argument
Jan 19 12:09:15 h1980282 sshd[27964]: Received disconnect from xxx.xxx.xxx.xxx: 11: disconnected by user
Jan 19 12:09:15 h1980282 sshd[27961]: pam_unix(sshd:session): session closed for user bmweb

how come uid for this user is 0 ?

users that are configured to have chroot access will be unable to login via ssh "/bin/bash (chrooted)"

 

[C.F]

i solved this issue....but anyway thanks for you reply

 

[IgorG]

i solved this issue....but anyway thanks for you reply

Could you please describe your solution for all?

 

[C.F]

yeah sure...
i made a new policy that allows bash and integrated it in selinux

just like this...take a look into /var/log/messages (on RH Based Linux)

Jan 19 12:46:43 h1980282 plesk-chrootsh[4300]: execv("/bin/bash") failed
Jan 19 12:46:43 h1980282 plesk-chrootsh[4300]: system error: Permission denied
Jan 19 12:46:45 h1980282 setroubleshoot: SELinux is preventing /usr/local/psa/bin/chrootsh from execute access on the file /var/www/vhosts/***/lib64/ld-linux-x86-64.so.2. For complete SELinux messages. run sealert -l d0a4c45a-b7c6-4472-b299-37087e8e0018

execute the command sealert -l d0a4c45a-b7c6-4472-b299-37087e8e0018

For Example you will get some output like:

SELinux is preventing /usr/local/psa/handlers/hooks/dk_check from read access on the fifo_file fifo_file.

***** Plugin catchall (50.5 confidence) suggests ***************************

If you believe that dk_check should be allowed read access on the fifo_file fifo_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep dk_check /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

***** Plugin leaks (50.5 confidence) suggests ******************************

If you want to ignore dk_check trying to read access the fifo_file fifo_file, because you believe it should not need this access.
Then you should report this as a bug.
You can generate a local policy module to dontaudit this access.
Do
# grep /usr/local/psa/handlers/hooks/dk_check /var/log/audit/audit.log | audit2allow -D -M mypol
# semodule -i mypol.pp


do both commands but be sure to use a more specific policy name than just mypol
the following semodule command will take some seconds to finish.

hope that helped

 

[DragomirE]

Please help,

I have same error message when I try to ssh using a normal hosting account user. I run Plesk 12, no errors in audit.log,

secure log got this:
May 18 14:33:40 mail sshd[22764]: error: ssh_selinux_setup_pty: security_compute_relabel: Invalid argument

how to fix it? tried everything, nothing worked.