• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Plesk 11 (CentOS 6_64bit) & SELinux Working Fine!

PriyanA

Regular Pleskian
Here i will explain how did i do it,

hoping it will help someone looking for some extra security with SELinux.

Please correct me if i am wrong.

Special Thanks to Nikolay! (you will find on this forum :) )

Please Read this whole Thread before you making changes to your system!

------------------------------------------------------------------------------------------
Plesk 11 | CentOS 6_64bit & SELinux - Enforcing (Newly Built VPS)


# getenforce

if you find it 'Disable' your system not running SELinux. if it is 'permissive' you can skip the next step.

-Disabled-

# vi /etc/selinux/config

and change,

SELINUX=permissive

then

# reboot

------------------------------------After restarting------------------------------------------------------------

# getenforce

Permissive

----------------------------------Then you can change SELinux-------------------------------------------------

if

# semanage

returns you,

-bash: semanage: command not found

to manage SELinux you will require to install a extension

# yum install policycoreutils-python-2.0.83-19.30.el6.x86_64

(Use '# yum provides /usr/sbin/semanage' to find the current version available)


------------------------------------Applying Plesk SELinux Module Policy-----------------------------------------

# bash selinux_policy_upgrade_trigger.sh

# semodule -s targeted -i /usr/local/psa/etc/plesk.pp (Not Sure you have to do this or not, well i did it)

Then

# semodule -l (make sure plesk is there)

-----------------------------------now "Force SELinux"------------------------------------------------------------

# setenforce 1

# getenforce
Enforcing

-----------------------------------Restart all the services you are using--------------------------------------------

Most Probably you will find "httpd" not restarting with msg and a port,

-use

# semanage port -a -t http_port_t -p tcp YOUR_PORT (you will have to do this few times until all your ports added to SELinux)

----------------------------------- PHP Session Directory---------------------------------------------------------

You will not able to write session when you are running php as FastCGI

to fix this,

chown apache:psacln /var/lib/php/session/

chcon system_u:eek:bject_r:httpd_sys_content_t:s0 /var/lib/php/session/

-----------------------------------You are Done!-------------------------------------------------------------------

Please use /var/log/audit/audit.log to see which services have been denied, you can use 'audit2allow' to fix them (please search on next about audit2allow)


------------------------------------When everything done!------------------------------------------------------

# vi /etc/selinux/config

and change,

SELINUX= enforcing

then

# reboot

-----------------------------------------------------------------------------------------------------------------

Plesk is not recommending to use SELinux, if you Enable SELinux, always keep in mind you Enabled it.

Use,

# setenforce 0

to get SELinux to 'permissive' Mode (only log ing)

and check the audit log for the your if it is related problem!
 
Last edited:
Thanks for taking time to write your guide!

I'll make a few corrections though, as requested in another thread.

1) Actions in sections "Applying Plesk SELinux Module Policy" and "Restart all the services you are using" are required only if you have explicit problems with SELinux (like Apache not starting as it is forbidden to bind to specific port above 1024; check audit.log to make sure it's SELinux problem or just temporarily go into permissive mode) and you have wrong version of Plesk SELinux policy module installed. To check current version of the module:

# semodule -l | grep plesk
plesk 11.5.25


You should get version matching your product version. If not or there is no output at all, check your packages versions:

# rpm -qa | egrep 'plesk-core|psa-selinux'
psa-selinux-11.5.25-cos5.build115131337.08
plesk-core-11.5.25-cos5.build115131337.19


Both packages should be present and their "main" versions (11.5.25 in this case) should match.

Then to reinstall Plesk policy module and relabel all affected files, run:

# env PLESK_INSTALLER_VERBOSE=1 /usr/local/psa/etc/selinux_policy_upgrade_trigger

Alternatively you can install module manually via semodule -i as written in the post above. In this case you would need to manually relabel all files using restorecon utility as well.

2) In section "Then you can change SELinux":

# yum install policycoreutils-python

should suffice. No need to specify exact version.

3) In section "PHP Session Directory": note that chcon does not alter active policy, but rather changes security context ad-hoc. I.e., context will be reset next time this file is relabeled.
 
Thank you very much for your reply Nicolay

for 3) I used, see if it is the right way to do it.

# semanage fcontext -a -t httpd_sys_content_t '/var/lib/php/session(/.*)'

also my audit.log log following "denied"

When creating a domain via panel,

Code:
type=AVC msg=audit(1369057813.317:587): avc:  denied  { read append } for  pid=10167 comm="httpd" path="/usr/local/psa/tmp/rc_actions.log" dev=dm-0 ino=1187353 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(1369057813.317:587): avc:  denied  { read append } for  pid=10167 comm="httpd" path="/usr/local/psa/tmp/rc_actions.log" dev=dm-0 ino=1187353 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=SYSCALL msg=audit(1369057813.317:587): arch=c000003e syscall=59 success=yes exit=0 a0=24fac30 a1=24fa900 a2=24fb170 a3=7fff163c6e20 items=0 ppid=10166 pid=10167 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)

When deleting a domain via panel,

Code:
type=AVC msg=audit(1369057932.659:593): avc:  denied  { unlink } for  pid=1426 comm="named" name="tmp-NhooaXG7zV" dev=dm-0 ino=787749 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:named_conf_t:s0 tclass=file
type=SYSCALL msg=audit(1369057932.659:593): arch=c000003e syscall=87 success=no exit=-13 a0=7f3264431d40 a1=0 a2=7f325c000078 a3=22 items=0 ppid=1 pid=1426 auid=4294967295 uid=25 gid=25 euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none) ses=4294967295 comm="named" exe="/usr/sbin/named" subj=system_u:system_r:named_t:s0 key=(null)
type=AVC msg=audit(1369057932.663:594): avc:  denied  { unlink } for  pid=1426 comm="named" name="tmp-1u2GCSsPtW" dev=dm-0 ino=787750 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:named_conf_t:s0 tclass=file
type=SYSCALL msg=audit(1369057932.663:594): arch=c000003e syscall=87 success=no exit=-13 a0=7f3264431d30 a1=0 a2=7f325c477b40 a3=22 items=0 ppid=1 pid=1426 auid=4294967295 uid=25 gid=25 euid=25 suid=25 fsuid=25 egid=25 sgid=25 fsgid=25 tty=(none) ses=4294967295 comm="named" exe="/usr/sbin/named" subj=system_u:system_r:named_t:s0 key=(null)
type=AVC msg=audit(1369057934.644:595): avc:  denied  { read append } for  pid=10574 comm="httpd" path="/usr/local/psa/tmp/rc_actions.log" dev=dm-0 ino=1187353 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=AVC msg=audit(1369057934.644:595): avc:  denied  { read append } for  pid=10574 comm="httpd" path="/usr/local/psa/tmp/rc_actions.log" dev=dm-0 ino=1187353 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file

not sure how to correct those,

# audit2allow -a -M httpd OR should i write a Module manually for the above "denied"s?
 
for 3) I used, see if it is the right way to do it.

# semanage fcontext -a -t httpd_sys_content_t '/var/lib/php/session(/.*)'

Yes, this is better and will make the change permanent. Shouldn't '/var/lib/php/session(/.*)?' be used though?

also my audit.log log following "denied"

...

not sure how to correct those,

# audit2allow -a -M httpd OR should i write a Module manually for the above "denied"s?

  • /usr/local/psa/tmp/rc_actions.log is a supplementary log file with output of init scripts. Failing to write to it is okay. If I'm not mistaken this does not affect functionality in any harmful way.
  • Looks like named tries to remove temporary files, but SELinux forbids it. Unless you get a ton of temporary files somewhere that do not get cleaned up, this is quite OK too.
  • type=SYSCALL messages are connected to the messages above (they have the same serial numbers).
All in all, these errors should be safe to ignore.
 
Back
Top