1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

SELinux horror

Discussion in 'Plesk 10.x for Linux Issues, Fixes, How-To' started by bluik, Jan 26, 2012.

  1. bluik

    bluik Basic Pleskian

    14
    85%
    Joined:
    Jul 5, 2011
    Messages:
    40
    Likes Received:
    0
    Well, well..


    Here we are, at version "10.4.4" and still Plesk cannot play nicely with SELinux. Oh come on Parallels.. Upgrade from 10.3.x to 10.4.4:

    type=AVC msg=audit(1327633857.275:37059): avc: denied { append } for pid=28059 comm="httpd" path="/usr/local/psa/tmp/rc_actions.log" dev=dm-0 ino=375051 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:eek:bject_r:usr_t:s0 tclass=file
    type=AVC msg=audit(1327633945.711:37060): avc: denied { read append } for pid=28668 comm="named" path="/usr/local/psa/tmp/rc_actions.log" dev=dm-0 ino=375051 scontext=system_u:system_r:named_t:s0 tcontext=system_u:eek:bject_r:usr_t:s0 tclass=file
    type=AVC msg=audit(1327634007.558:37067): avc: denied { read } for pid=29165 comm="postalias" name="tmp" dev=dm-0 ino=64822 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:eek:bject_r:tmp_t:s0 tclass=lnk_file
    type=AVC msg=audit(1327634022.751:37068): avc: denied { read } for pid=29271 comm="postalias" name="tmp" dev=dm-0 ino=64822 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:eek:bject_r:tmp_t:s0 tclass=lnk_file
    type=AVC msg=audit(1327634040.943:37073): avc: denied { write } for pid=29613 comm="postfix" path="/usr/local/psa/var/psasem.sem" dev=dm-0 ino=408094 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:eek:bject_r:var_t:s0 tclass=file
    type=AVC msg=audit(1327634040.943:37073): avc: denied { append } for pid=29613 comm="postfix" path="/usr/local/psa/admin/logs/panel.log" dev=dm-0 ino=424179 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:eek:bject_r:usr_t:s0 tclass=file
    type=AVC msg=audit(1327634056.964:37074): avc: denied { getattr } for pid=29964 comm="httpd" path="/var/www/vhosts/REDACTED.com/conf/13276340520.37649200_httpd.include" dev=dm-2 ino=1313871 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:eek:bject_r:user_home_dir_t:s0 tclass=file
    type=AVC msg=audit(1327634056.967:37075): avc: denied { read } for pid=29964 comm="httpd" name="13276340520.37649200_httpd.include" dev=dm-2 ino=1313871 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:eek:bject_r:user_home_dir_t:s0 tclass=file
    type=AVC msg=audit(1327634056.967:37075): avc: denied { open } for pid=29964 comm="httpd" name="13276340520.37649200_httpd.include" dev=dm-2 ino=1313871 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:eek:bject_r:user_home_dir_t:s0 tclass=file
    type=AVC msg=audit(1327634079.294:37089): avc: denied { getattr } for pid=30626 comm="httpd" path="/var/www/vhosts/REDACTED.com/conf/13276340520.37649200_httpd.include" dev=dm-2 ino=1313871 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:eek:bject_r:user_home_dir_t:s0 tclass=file
    type=AVC msg=audit(1327634079.294:37090): avc: denied { read } for pid=30626 comm="httpd" name="13276340520.37649200_httpd.include" dev=dm-2 ino=1313871 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:eek:bject_r:user_home_dir_t:s0 tclass=file
    type=AVC msg=audit(1327634080.495:37091): avc: denied { read } for pid=30628 comm="smtpd" name="tmp" dev=dm-0 ino=64822 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:eek:bject_r:tmp_t:s0 tclass=lnk_file
    type=AVC msg=audit(1327634080.495:37092): avc: denied { read } for pid=30628 comm="smtpd" name="tmp" dev=dm-0 ino=64822 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:eek:bject_r:tmp_t:s0 tclass=lnk_file
    type=AVC msg=audit(1327634080.496:37093): avc: denied { read } for pid=30628 comm="smtpd" name="tmp" dev=dm-0 ino=64822 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:eek:bject_r:tmp_t:s0 tclass=lnk_file
    type=AVC msg=audit(1327634080.496:37094): avc: denied { read } for pid=30628 comm="smtpd" name="tmp" dev=dm-0 ino=64822 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:eek:bject_r:tmp_t:s0 tclass=lnk_file
    type=AVC msg=audit(1327634080.498:37095): avc: denied { read } for pid=30628 comm="smtpd" name="tmp" dev=dm-0 ino=64822 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:eek:bject_r:tmp_t:s0 tclass=lnk_file
    type=AVC msg=audit(1327634080.498:37096): avc: denied { read } for pid=30628 comm="smtpd" name="tmp" dev=dm-0 ino=64822 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:eek:bject_r:tmp_t:s0 tclass=lnk_file
    type=AVC msg=audit(1327634080.499:37097): avc: denied { read } for pid=30628 comm="smtpd" name="tmp" dev=dm-0 ino=64822 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:eek:bject_r:tmp_t:s0 tclass=lnk_file
    type=AVC msg=audit(1327634080.499:37098): avc: denied { read } for pid=30628 comm="smtpd" name="tmp" dev=dm-0 ino=64822 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:eek:bject_r:tmp_t:s0 tclass=lnk_file
    type=AVC msg=audit(1327634080.500:37099): avc: denied { read } for pid=30628 comm="smtpd" name="tmp" dev=dm-0 ino=64822 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:eek:bject_r:tmp_t:s0 tclass=lnk_file
    type=AVC msg=audit(1327634080.500:37100): avc: denied { read } for pid=30628 comm="smtpd" name="tmp" dev=dm-0 ino=64822 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:eek:bject_r:tmp_t:s0 tclass=lnk_file
    type=AVC msg=audit(1327634081.019:37101): avc: denied { read } for pid=30631 comm="trivial-rewrite" name="tmp" dev=dm-0 ino=64822 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:eek:bject_r:tmp_t:s0 tclass=lnk_file
    type=AVC msg=audit(1327634081.020:37102): avc: denied { read } for pid=30631 comm="trivial-rewrite" name="tmp" dev=dm-0 ino=64822 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:eek:bject_r:tmp_t:s0 tclass=lnk_file
    type=AVC msg=audit(1327634081.022:37103): avc: denied { read } for pid=30631 comm="trivial-rewrite" name="tmp" dev=dm-0 ino=64822 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:eek:bject_r:tmp_t:s0 tclass=lnk_file
    type=AVC msg=audit(1327634081.022:37104): avc: denied { read } for pid=30631 comm="trivial-rewrite" name="tmp" dev=dm-0 ino=64822 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:eek:bject_r:tmp_t:s0 tclass=lnk_file
    type=AVC msg=audit(1327634081.023:37105): avc: denied { read } for pid=30631 comm="trivial-rewrite" name="tmp" dev=dm-0 ino=64822 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:eek:bject_r:tmp_t:s0 tclass=lnk_file
    type=AVC msg=audit(1327634081.023:37106): avc: denied { read } for pid=30631 comm="trivial-rewrite" name="tmp" dev=dm-0 ino=64822 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:eek:bject_r:tmp_t:s0 tclass=lnk_file
    type=AVC msg=audit(1327634081.024:37107): avc: denied { read } for pid=30631 comm="trivial-rewrite" name="tmp" dev=dm-0 ino=64822 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:eek:bject_r:tmp_t:s0 tclass=lnk_file
    type=AVC msg=audit(1327634081.024:37108): avc: denied { read } for pid=30631 comm="trivial-rewrite" name="tmp" dev=dm-0 ino=64822 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:eek:bject_r:tmp_t:s0 tclass=lnk_file
    type=AVC msg=audit(1327634081.025:37109): avc: denied { read } for pid=30631 comm="trivial-rewrite" name="tmp" dev=dm-0 ino=64822 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:eek:bject_r:tmp_t:s0 tclass=lnk_file
    type=AVC msg=audit(1327634081.025:37110): avc: denied { read } for pid=30631 comm="trivial-rewrite" name="tmp" dev=dm-0 ino=64822 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:eek:bject_r:tmp_t:s0 tclass=lnk_file
    type=AVC msg=audit(1327634081.144:37111): avc: denied { read } for pid=30632 comm="cleanup" name="tmp" dev=dm-0 ino=64822 scontext=system_u:system_r:postfix_cleanup_t:s0 tcontext=system_u:eek:bject_r:tmp_t:s0 tclass=lnk_file
    type=AVC msg=audit(1327634081.144:37112): avc: denied { read } for pid=30632 comm="cleanup" name="tmp" dev=dm-0 ino=64822 scontext=system_u:system_r:postfix_cleanup_t:s0 tcontext=system_u:eek:bject_r:tmp_t:s0 tclass=lnk_file
    [at this point I do setenforce 0 since it is a testing server]

    I saw no mention about fixing SELinux policies in any 10.4 release notes or 10.4 MU release notes. Some things that are failing:
    - AWStats spews around dozen errors each day when its daily run is done, webalizer only few
    - Obviously as seen from above, updating is a mess - I hope the update resulted in an actually working installation
    - Subdomains content ("httpdocs") folder&contents are created with wrong label, so FTP gives permission errors
    - FastCGI&PHP sessions have wrong labels/permissions (I wrote a thread & workaround about this, I bet the update broke it again..)
    - I am sure there are more but I am just SO ABSOLUTELY fed up with Plesk that I'll leave it at here
     
    Last edited: Jan 29, 2012
  2. 105547111

    105547111 Silver Pleskian

    32
    30%
    Joined:
    Jul 13, 2006
    Messages:
    643
    Likes Received:
    2
    cd /root
    grep avc /var/log/audit > avc.log This copies the audits into avc.log
    audit2allow -M local -i avi.log This creates a local.pp selinux policy

    Follow the output will tell you how to load in the local.pp policy
     
  3. bluik

    bluik Basic Pleskian

    14
    85%
    Joined:
    Jul 5, 2011
    Messages:
    40
    Likes Received:
    0
    I know very well how to make full custom SELinux policies/modules, not to mention audit2allow.
    My problem is that Plesk does not do this out of box. It should. Definitely. Don't you agree??
     
  4. bluik

    bluik Basic Pleskian

    14
    85%
    Joined:
    Jul 5, 2011
    Messages:
    40
    Likes Received:
    0
    For reference to everyone else, do not do this under any, and I mean ANY circumstances. This would allow each and every policy violation in the log to be permitted! Be it from Plesk or from malicious user!!

    [edited out some unnecessary attitude problems]
     
    Last edited: Jan 29, 2012
  5. 105547111

    105547111 Silver Pleskian

    32
    30%
    Joined:
    Jul 13, 2006
    Messages:
    643
    Likes Received:
    2
    Well I would assume that anyone wanting to play with policy would understand and read the audits.

    And anyone setting the policy to permissive or disables is a total idiot.

    So excuse me for assuming a little bit of bloody intelligence! And your all mighty 18 posts makes you then...
     
  6. bluik

    bluik Basic Pleskian

    14
    85%
    Joined:
    Jul 5, 2011
    Messages:
    40
    Likes Received:
    0
    My sincere apologies for the attitude, it has been too long days for too long, without going to the details (Plesk being one of them). It's no excuse really. Next time I'll check my medicine before posting, ok?

    Point was that many people just copy-paste the commands without understanding the repercussions.
     
    Last edited: Jan 29, 2012
  7. 105547111

    105547111 Silver Pleskian

    32
    30%
    Joined:
    Jul 13, 2006
    Messages:
    643
    Likes Received:
    2
    No problems caught me at a bad time.

    In my system most policy violations are just trivial to do with the file context.

    Too many just disable selinux or set to permissive and that's about the worst you can do.
    I just assumed anyone would then vi the avc.log and see. Most I find are duplicates.

    You can always remove the local.pp policy, it's not like it's permanent.

    If you want I could submit my edited and duplicate removed avc.log and ask for a plesk policy update.

    Cheers,
    David
     
Loading...