• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Plesk 11 (CentOS 6_64bit) & SELinux Working Fine!

P

PriyanA

Regular Pleskian
Here i will explain how did i do it,

hoping it will help someone looking for some extra security with SELinux.

Please correct me if i am wrong.

Special Thanks to Nikolay! (you will find on this forum :) )

Please Read this whole Thread before you making changes to your system!

------------------------------------------------------------------------------------------
Plesk 11 | CentOS 6_64bit & SELinux - Enforcing (Newly Built VPS)


# getenforce

if you find it 'Disable' your system not running SELinux. if it is 'permissive' you can skip the next step.

-Disabled-

# vi /etc/selinux/config

and change,

SELINUX=permissive

then

# reboot

------------------------------------After restarting------------------------------------------------------------

# getenforce

Permissive

----------------------------------Then you can change SELinux-------------------------------------------------

if

# semanage

returns you,

-bash: semanage: command not found

to manage SELinux you will require to install a extension

# yum install policycoreutils-python-2.0.83-19.30.el6.x86_64

(Use '# yum provides /usr/sbin/semanage' to find the current version available)


------------------------------------Applying Plesk SELinux Module Policy-----------------------------------------

# bash selinux_policy_upgrade_trigger.sh

# semodule -s targeted -i /usr/local/psa/etc/plesk.pp (Not Sure you have to do this or not, well i did it)

Then

# semodule -l (make sure plesk is there)

-----------------------------------now "Force SELinux"------------------------------------------------------------

# setenforce 1

# getenforce
Enforcing

-----------------------------------Restart all the services you are using--------------------------------------------

Most Probably you will find "httpd" not restarting with msg and a port,

-use

# semanage port -a -t http_port_t -p tcp YOUR_PORT (you will have to do this few times until all your ports added to SELinux)

----------------------------------- PHP Session Directory---------------------------------------------------------

You will not able to write session when you are running php as FastCGI

to fix this,

chown apache:psacln /var/lib/php/session/

chcon system_u:eek:bject_r:httpd_sys_content_t:s0 /var/lib/php/session/

-----------------------------------You are Done!-------------------------------------------------------------------

Please use /var/log/audit/audit.log to see which services have been denied, you can use 'audit2allow' to fix them (please search on next about audit2allow)


------------------------------------When everything done!------------------------------------------------------

# vi /etc/selinux/config

and change,

SELINUX= enforcing

then

# reboot

-----------------------------------------------------------------------------------------------------------------

Plesk is not recommending to use SELinux, if you Enable SELinux, always keep in mind you Enabled it.

Use,

# setenforce 0

to get SELinux to 'permissive' Mode (only log ing)

and check the audit log for the your if it is related problem!
 
Last edited:
Thanks for taking time to write your guide!

I'll make a few corrections though, as requested in another thread.

1) Actions in sections "Applying Plesk SELinux Module Policy" and "Restart all the services you are using" are required only if you have explicit problems with SELinux (like Apache not starting as it is forbidden to bind to specific port above 1024; check audit.log to make sure it's SELinux problem or just temporarily go into permissive mode) and you have wrong version of Plesk SELinux policy module installed. To check current version of the module:

# semodule -l | grep plesk
plesk 11.5.25

You should get version matching your product version. If not or there is no output at all, check your packages versions:

# rpm -qa | egrep 'plesk-core|psa-selinux'
psa-selinux-11.5.25-cos5.build115131337.08
plesk-core-11.5.25-cos5.build115131337.19

Both packages should be present and their "main" versions (11.5.25 in this case) should match.

Then to reinstall Plesk policy module and relabel all affected files, run:

# env PLESK_INSTALLER_VERBOSE=1 /usr/local/psa/etc/selinux_policy_upgrade_trigger

Alternatively you can install module manually via semodule -i as written in the post above. In this case you would need to manually relabel all files using restorecon utility as well.

2) In section "Then you can change SELinux":

# yum install policycoreutils-python

should suffice. No need to specify exact version.

3) In section "PHP Session Directory": note that chcon does not alter active policy, but rather changes security context ad-hoc. I.e., context will be reset next time this file is relabeled.
 
Thank you very much for your reply Nicolay

for 3) I used, see if it is the right way to do it.

# semanage fcontext -a -t httpd_sys_content_t '/var/lib/php/session(/.*)'

also my audit.log log following "denied"

When creating a domain via panel,

Code: 
type=AVC msg=audit(1369057813.317:587): avc:  denied  { read append } for  pid=10167 comm="httpd" path="/usr/local/psa/tmp/rc_actions.log" dev=dm-0 ino=1187353 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(1369057813.317:587): avc:  denied  { read append } for  pid=10167 comm="httpd" path="/usr/local/psa/tmp/rc_actions.log" dev=dm-0 ino=1187353 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=SYSCALL msg=audit(1369057813.317:587): arch=c000003e syscall=59 success=yes exit=0 a0=24fac30 a1=24fa900 a2=24fb170 a3=7fff163c6e20 items=0 ppid=10166 pid=10167 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)

When deleting a domain via panel,

Code: 
type=AVC msg=audit(1369057932.659:593): avc:  denied  { unlink } for  pid=1426 comm="named" name="tmp-NhooaXG7zV" dev=dm-0 ino=787749 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:named_conf_t:s0 tclass=file
type=SYSCALL msg=audit(1369057932.659:593): arch=c000003e syscall=87 success=no exit=-13 a0=7f3264431d40 a1=0 a2=7f325c000078 a3=22 items=0 ppid=1 pid=1426 auid=4294967295 uid=25 gid=25 euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none) ses=4294967295 comm="named" exe="/usr/sbin/named" subj=system_u:system_r:named_t:s0 key=(null)
type=AVC msg=audit(1369057932.663:594): avc:  denied  { unlink } for  pid=1426 comm="named" name="tmp-1u2GCSsPtW" dev=dm-0 ino=787750 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:named_conf_t:s0 tclass=file
type=SYSCALL msg=audit(1369057932.663:594): arch=c000003e syscall=87 success=no exit=-13 a0=7f3264431d30 a1=0 a2=7f325c477b40 a3=22 items=0 ppid=1 pid=1426 auid=4294967295 uid=25 gid=25 euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none) ses=4294967295 comm="named" exe="/usr/sbin/named" subj=system_u:system_r:named_t:s0 key=(null)
type=AVC msg=audit(1369057934.644:595): avc:  denied  { read append } for  pid=10574 comm="httpd" path="/usr/local/psa/tmp/rc_actions.log" dev=dm-0 ino=1187353 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(1369057934.644:595): avc:  denied  { read append } for  pid=10574 comm="httpd" path="/usr/local/psa/tmp/rc_actions.log" dev=dm-0 ino=1187353 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file

not sure how to correct those,

# audit2allow -a -M httpd OR should i write a Module manually for the above "denied"s?
 
PriyanA said:
for 3) I used, see if it is the right way to do it.

# semanage fcontext -a -t httpd_sys_content_t '/var/lib/php/session(/.*)'
Click to expand...

Yes, this is better and will make the change permanent. Shouldn't '/var/lib/php/session(/.*)?' be used though?

PriyanA said:
also my audit.log log following "denied"

...

not sure how to correct those,

# audit2allow -a -M httpd OR should i write a Module manually for the above "denied"s?
Click to expand...

  • /usr/local/psa/tmp/rc_actions.log is a supplementary log file with output of init scripts. Failing to write to it is okay. If I'm not mistaken this does not affect functionality in any harmful way.
  • Looks like named tries to remove temporary files, but SELinux forbids it. Unless you get a ton of temporary files somewhere that do not get cleaned up, this is quite OK too.
  • type=SYSCALL messages are connected to the messages above (they have the same serial numbers).
All in all, these errors should be safe to ignore.
 
You must log in or register to reply here.

Similar threads

M
Resolved Failed to start The Apache HTTP Server: SELinux impedisce a /usr/sbin/httpd un accesso open su file /var/log/modsec_audit.log. -- SOLVED --
Replies
0
Views
2K
mmcomputers
M
R
Plesk Random Crashes every few days 1-3 days
2
Replies
20
Views
5K
Coderra Ltd
C
learning_curve
Resolved Permissions on some of the files packaged by Plesk are incorrect[ERROR] - Post 18.0.69 Upgrade
Replies
19
Views
571
learning_curve
learning_curve
S
Issue SMTP/Qmail stop working suddenly without any cause
Replies
3
Views
2K
Stephen_Stephen
S
jhernanper
Issue Unable to install SuiteCRM: Symfony Runtime Exception. Tried everything - desperate
Replies
1
Views
5K
Maarten
M
Back
Top