1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

SELinux fixes/workarounds for RHEL/CentOS 5/6 & Plesk 10

Discussion in 'Plesk 10.x for Linux Issues, Fixes, How-To' started by bluik, Mar 30, 2012.

  1. bluik

    bluik Basic Pleskian

    14
    85%
    Joined:
    Jul 5, 2011
    Messages:
    40
    Likes Received:
    0
    While setting up RHEL and CentOS servers, both 5 and 6, with Plesk 10 I have come across a lot of SELinux policy violations which means Plesk or its components will not work if SELinux is set to enforcing mode (`/usr/sbin/getenforce` shows 1).
    Symptoms are 'weird' access denied errors while permissions look OK and "avc" lines showing up in /var/log/audit/audit.log and/or some other place where SELinux logs go (could be /var/log/messages with audispd/setroubleshootd).
    As someone else on this forum said: "you are a fool if you disable SELinux". So do not just disable enforcing mode or SELinux! Get Parallels to fix the policy!!

    Some of my fixes/workarounds:

    PHP as mod_fcgi: PHP Session directory /var/lib/php/session & files in it not writable
    - Ensure owner/group is apache:psacln, mode 770.
    - Could be fixed by picking up an existing context `sesearch` that has correct permissions; `chcon` is the quick fix but does not survive relabeling, better way is to create specification for the file context:
    - Or more correctly by creating a completely new SELinux type for the session directory; an early work-in-progress version of this is in another thread with my various ramblings. The best solution would be to create new very restricted domain for FastCGI but it is a lot of work. I am sure it could improve the security if done properly (disable /proc for LFI for example). FastCGI should need less permissions than Apache.
    - Or just create a policy based on `audit2allow` that allows access from httpd_sys_script_t source process type to the httpd_var_run_t file type:
    - Note: For RHEL6/CentOS6 you need to add " open" at the two locations after "getattr". Giving access to httpd_var_run_t might be a security risk which is why new type would be better. Anyhow httpd_t (PHP run as module) has this permission so it should be fine.

    ClamAV (from atomic): can't freshclam or use JIT due to RWX mmap
    - It should fallback to interpreter mode which is slow.
    - It might not be a good idea to enable the below because it opens a door for exploits. I rather opted for interpreter mode and disabled JIT for more security. Complex security issue, see discussion for full security implications: https://bugzilla.redhat.com/show_bug.cgi?id=573191
    - Simple `audit2allow`:
    PSA Panel: Log file context wrong
    - The panel automatic restart (?) system cannot update its own logfile.
    - "append" to the file is also required by named_t. The workaround below does not fix it. There is no common appropriate file context that could be used for both httpd_t and named_t. Proper solution would be a new type. Perhaps after I get this batch of servers to production (with SELinux enabled) I try to find time to create proper single policy package that fixes most of these.
    - Partial fix by changing file context from usr_t to httpd_log_t:
    Postfix on sending mail: /usr/local/psa/handlers/spool invalid fcontext/policy
    - Don't know what to do with this. Plesk has specified a file context:
    So either the read is not supposed to happen and a dontaudit policy should be created; or the type postfix_master_t should be allowed allowed access to type mail_spool_t. This could be the most obvious bug in Plesk SELinux policy. I hope someone could clarify and I would not need to trace the process.

    Postfix: Problem with fifo, no solution
    - For this one I also am unsure what to do since I cannot find the inode of the fifo in the error. `find / -inum` does not find it?
    - I am not familiar enough with Postfix to even start on this one. It could be possible to just `audit2allow` it but what are the security implications of doing so blindly?

    I have said it before and I say it again. Plesk should be secure by default and actually work with sane security settings on the OS side (SELinux enabled).

    As usual all this comes with no warranty whatsoever, no liability etc. Use at your own risk.
     
    Last edited: Apr 3, 2012
  2. bluik

    bluik Basic Pleskian

    14
    85%
    Joined:
    Jul 5, 2011
    Messages:
    40
    Likes Received:
    0
    How to use the SELinux policies:
    save to a file, using ex.te here
    And after file context changes with semanage fcontext, do a `restorecon -vr` on the directory/file.
     
    Last edited: Apr 3, 2012
  3. bluik

    bluik Basic Pleskian

    14
    85%
    Joined:
    Jul 5, 2011
    Messages:
    40
    Likes Received:
    0
    Subscriptions that need to send mail cannot write to log files
    - Needs investigation
    This could be a file descriptor leak because I just saw it happen to all of the few test domains/subscriptions on this server.
     
    Last edited: Apr 1, 2012
Loading...