• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

SELinux horror

B

bluik

Basic Pleskian
Well, well..


Here we are, at version "10.4.4" and still Plesk cannot play nicely with SELinux. Oh come on Parallels.. Upgrade from 10.3.x to 10.4.4:

type=AVC msg=audit(1327633857.275:37059): avc: denied { append } for pid=28059 comm="httpd" path="/usr/local/psa/tmp/rc_actions.log" dev=dm-0 ino=375051 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:eek:bject_r:usr_t:s0 tclass=file
type=AVC msg=audit(1327633945.711:37060): avc: denied { read append } for pid=28668 comm="named" path="/usr/local/psa/tmp/rc_actions.log" dev=dm-0 ino=375051 scontext=system_u:system_r:named_t:s0 tcontext=system_u:eek:bject_r:usr_t:s0 tclass=file
type=AVC msg=audit(1327634007.558:37067): avc: denied { read } for pid=29165 comm="postalias" name="tmp" dev=dm-0 ino=64822 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:eek:bject_r:tmp_t:s0 tclass=lnk_file
type=AVC msg=audit(1327634022.751:37068): avc: denied { read } for pid=29271 comm="postalias" name="tmp" dev=dm-0 ino=64822 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:eek:bject_r:tmp_t:s0 tclass=lnk_file
type=AVC msg=audit(1327634040.943:37073): avc: denied { write } for pid=29613 comm="postfix" path="/usr/local/psa/var/psasem.sem" dev=dm-0 ino=408094 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:eek:bject_r:var_t:s0 tclass=file
type=AVC msg=audit(1327634040.943:37073): avc: denied { append } for pid=29613 comm="postfix" path="/usr/local/psa/admin/logs/panel.log" dev=dm-0 ino=424179 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:eek:bject_r:usr_t:s0 tclass=file
type=AVC msg=audit(1327634056.964:37074): avc: denied { getattr } for pid=29964 comm="httpd" path="/var/www/vhosts/REDACTED.com/conf/13276340520.37649200_httpd.include" dev=dm-2 ino=1313871 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:eek:bject_r:user_home_dir_t:s0 tclass=file
type=AVC msg=audit(1327634056.967:37075): avc: denied { read } for pid=29964 comm="httpd" name="13276340520.37649200_httpd.include" dev=dm-2 ino=1313871 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:eek:bject_r:user_home_dir_t:s0 tclass=file
type=AVC msg=audit(1327634056.967:37075): avc: denied { open } for pid=29964 comm="httpd" name="13276340520.37649200_httpd.include" dev=dm-2 ino=1313871 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:eek:bject_r:user_home_dir_t:s0 tclass=file
type=AVC msg=audit(1327634079.294:37089): avc: denied { getattr } for pid=30626 comm="httpd" path="/var/www/vhosts/REDACTED.com/conf/13276340520.37649200_httpd.include" dev=dm-2 ino=1313871 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:eek:bject_r:user_home_dir_t:s0 tclass=file
type=AVC msg=audit(1327634079.294:37090): avc: denied { read } for pid=30626 comm="httpd" name="13276340520.37649200_httpd.include" dev=dm-2 ino=1313871 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:eek:bject_r:user_home_dir_t:s0 tclass=file
type=AVC msg=audit(1327634080.495:37091): avc: denied { read } for pid=30628 comm="smtpd" name="tmp" dev=dm-0 ino=64822 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:eek:bject_r:tmp_t:s0 tclass=lnk_file
type=AVC msg=audit(1327634080.495:37092): avc: denied { read } for pid=30628 comm="smtpd" name="tmp" dev=dm-0 ino=64822 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:eek:bject_r:tmp_t:s0 tclass=lnk_file
type=AVC msg=audit(1327634080.496:37093): avc: denied { read } for pid=30628 comm="smtpd" name="tmp" dev=dm-0 ino=64822 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:eek:bject_r:tmp_t:s0 tclass=lnk_file
type=AVC msg=audit(1327634080.496:37094): avc: denied { read } for pid=30628 comm="smtpd" name="tmp" dev=dm-0 ino=64822 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:eek:bject_r:tmp_t:s0 tclass=lnk_file
type=AVC msg=audit(1327634080.498:37095): avc: denied { read } for pid=30628 comm="smtpd" name="tmp" dev=dm-0 ino=64822 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:eek:bject_r:tmp_t:s0 tclass=lnk_file
type=AVC msg=audit(1327634080.498:37096): avc: denied { read } for pid=30628 comm="smtpd" name="tmp" dev=dm-0 ino=64822 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:eek:bject_r:tmp_t:s0 tclass=lnk_file
type=AVC msg=audit(1327634080.499:37097): avc: denied { read } for pid=30628 comm="smtpd" name="tmp" dev=dm-0 ino=64822 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:eek:bject_r:tmp_t:s0 tclass=lnk_file
type=AVC msg=audit(1327634080.499:37098): avc: denied { read } for pid=30628 comm="smtpd" name="tmp" dev=dm-0 ino=64822 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:eek:bject_r:tmp_t:s0 tclass=lnk_file
type=AVC msg=audit(1327634080.500:37099): avc: denied { read } for pid=30628 comm="smtpd" name="tmp" dev=dm-0 ino=64822 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:eek:bject_r:tmp_t:s0 tclass=lnk_file
type=AVC msg=audit(1327634080.500:37100): avc: denied { read } for pid=30628 comm="smtpd" name="tmp" dev=dm-0 ino=64822 scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:eek:bject_r:tmp_t:s0 tclass=lnk_file
type=AVC msg=audit(1327634081.019:37101): avc: denied { read } for pid=30631 comm="trivial-rewrite" name="tmp" dev=dm-0 ino=64822 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:eek:bject_r:tmp_t:s0 tclass=lnk_file
type=AVC msg=audit(1327634081.020:37102): avc: denied { read } for pid=30631 comm="trivial-rewrite" name="tmp" dev=dm-0 ino=64822 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:eek:bject_r:tmp_t:s0 tclass=lnk_file
type=AVC msg=audit(1327634081.022:37103): avc: denied { read } for pid=30631 comm="trivial-rewrite" name="tmp" dev=dm-0 ino=64822 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:eek:bject_r:tmp_t:s0 tclass=lnk_file
type=AVC msg=audit(1327634081.022:37104): avc: denied { read } for pid=30631 comm="trivial-rewrite" name="tmp" dev=dm-0 ino=64822 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:eek:bject_r:tmp_t:s0 tclass=lnk_file
type=AVC msg=audit(1327634081.023:37105): avc: denied { read } for pid=30631 comm="trivial-rewrite" name="tmp" dev=dm-0 ino=64822 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:eek:bject_r:tmp_t:s0 tclass=lnk_file
type=AVC msg=audit(1327634081.023:37106): avc: denied { read } for pid=30631 comm="trivial-rewrite" name="tmp" dev=dm-0 ino=64822 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:eek:bject_r:tmp_t:s0 tclass=lnk_file
type=AVC msg=audit(1327634081.024:37107): avc: denied { read } for pid=30631 comm="trivial-rewrite" name="tmp" dev=dm-0 ino=64822 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:eek:bject_r:tmp_t:s0 tclass=lnk_file
type=AVC msg=audit(1327634081.024:37108): avc: denied { read } for pid=30631 comm="trivial-rewrite" name="tmp" dev=dm-0 ino=64822 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:eek:bject_r:tmp_t:s0 tclass=lnk_file
type=AVC msg=audit(1327634081.025:37109): avc: denied { read } for pid=30631 comm="trivial-rewrite" name="tmp" dev=dm-0 ino=64822 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:eek:bject_r:tmp_t:s0 tclass=lnk_file
type=AVC msg=audit(1327634081.025:37110): avc: denied { read } for pid=30631 comm="trivial-rewrite" name="tmp" dev=dm-0 ino=64822 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:eek:bject_r:tmp_t:s0 tclass=lnk_file
type=AVC msg=audit(1327634081.144:37111): avc: denied { read } for pid=30632 comm="cleanup" name="tmp" dev=dm-0 ino=64822 scontext=system_u:system_r:postfix_cleanup_t:s0 tcontext=system_u:eek:bject_r:tmp_t:s0 tclass=lnk_file
type=AVC msg=audit(1327634081.144:37112): avc: denied { read } for pid=30632 comm="cleanup" name="tmp" dev=dm-0 ino=64822 scontext=system_u:system_r:postfix_cleanup_t:s0 tcontext=system_u:eek:bject_r:tmp_t:s0 tclass=lnk_file
[at this point I do setenforce 0 since it is a testing server]

I saw no mention about fixing SELinux policies in any 10.4 release notes or 10.4 MU release notes. Some things that are failing:
- AWStats spews around dozen errors each day when its daily run is done, webalizer only few
- Obviously as seen from above, updating is a mess - I hope the update resulted in an actually working installation
- Subdomains content ("httpdocs") folder&contents are created with wrong label, so FTP gives permission errors
- FastCGI&PHP sessions have wrong labels/permissions (I wrote a thread & workaround about this, I bet the update broke it again..)
- I am sure there are more but I am just SO ABSOLUTELY fed up with Plesk that I'll leave it at here
 
Last edited:
cd /root
grep avc /var/log/audit > avc.log This copies the audits into avc.log
audit2allow -M local -i avi.log This creates a local.pp selinux policy

Follow the output will tell you how to load in the local.pp policy
 
I know very well how to make full custom SELinux policies/modules, not to mention audit2allow.
My problem is that Plesk does not do this out of box. It should. Definitely. Don't you agree??
 
105547111 said:
grep avc /var/log/audit > avc.log
Click to expand...
For reference to everyone else, do not do this under any, and I mean ANY circumstances. This would allow each and every policy violation in the log to be permitted! Be it from Plesk or from malicious user!!

[edited out some unnecessary attitude problems]
 
Last edited:
Well I would assume that anyone wanting to play with policy would understand and read the audits.

And anyone setting the policy to permissive or disables is a total idiot.

So excuse me for assuming a little bit of bloody intelligence! And your all mighty 18 posts makes you then...
 
My sincere apologies for the attitude, it has been too long days for too long, without going to the details (Plesk being one of them). It's no excuse really. Next time I'll check my medicine before posting, ok?

Point was that many people just copy-paste the commands without understanding the repercussions.
 
Last edited:
No problems caught me at a bad time.

In my system most policy violations are just trivial to do with the file context.

Too many just disable selinux or set to permissive and that's about the worst you can do.
I just assumed anyone would then vi the avc.log and see. Most I find are duplicates.

You can always remove the local.pp policy, it's not like it's permanent.

If you want I could submit my edited and duplicate removed avc.log and ask for a plesk policy update.

Cheers,
David
 
You must log in or register to reply here.

Similar threads

Nicola Urbinati
Issue Problem starting services after update and restart
Replies
0
Views
754
Nicola Urbinati
Nicola Urbinati
danami
Anacron job 'cron.daily' /etc/cron.daily/logrotate errors
Replies
2
Views
2K
danami
danami
J
Issue Zend_Db_Adapter_Exception
Replies
17
Views
2K
jmzbe
J
S
Question SElinux breaks Qmail in upgrade to Onyx
Replies
7
Views
2K
southy
S
O
Slave DNS Manager Module and SeLinux
Replies
7
Views
2K
AYamshanov
AYamshanov
Back
Top