SELinux multiple file context specifications by Plesk - specified where?

[bluik]

Bug: SELinux multiple file context specifications by Plesk - specified where?

PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE
Parallels Plesk, 10.4.4 MU24, CentOS 5.8, x86_64

PROBLEM DESCRIPTION
SELinux floods about "Multiple different specifications" for file contexts.
File /etc/selinux/targeted/contexts/files/homedir_template contains conflicting specifications:

HOME_DIR/bin(/.*)? system_ubject_r:home_bin_t:s0
HOME_DIR/bin(/.*)? system_ubject_r:bin_t:s0

Workaround: remove one of the specifications, run genhomedirecon which generates file contexts for user home directories based on the aforementioned template file. Unfortunately I did not record which one I tried removing first; but after some time passed and making modifications in Plesk the duplicate entry appeared again. Nothing else was done with the system except Plesk actions and tuning SELinux policies (no packages installed for example). So I assume Plesk inserted the duplicate entry. I will test leaving one of the specifications in place at a time and see if the another one appears, to find out which one is inserted by Plesk (or perhaps by something else).

STEPS TO REPRODUCE
New clean installation of Plesk. Few testing "subscriptions" (example.com, example.org below) created. The problem start even before subscriptions are created because the template applies to root user's home dir or any other users existing on the user.
Errors appear in /var/log/messages.

ACTUAL RESULT
plesk php-cgi: /etc/selinux/targeted/contexts/files/file_contexts: Multiple different specifications for /home/[^/]*/bin(/.*)? (user_ubject_r:bin_t:s0 and user_ubject_r:home_bin_t:s0).
plesk php-cgi: /etc/selinux/targeted/contexts/files/file_contexts: Multiple different specifications for /var/www/vhosts/example.com/web_users/[^/]*/bin(/.*)? (user_ubject_r:bin_t:s0 and user_ubject_r:home_bin_t:s0).
plesk php-cgi: /etc/selinux/targeted/contexts/files/file_contexts: Multiple different specifications for /var/www/vhosts/example.org/web_users/[^/]*/bin(/.*)? (user_ubject_r:bin_t:s0 and user_ubject_r:home_bin_t:s0).
plesk php-cgi: /etc/selinux/targeted/contexts/files/file_contexts: Multiple different specifications for /root/bin(/.*)? (rootbject_r:bin_t:s0 and rootbject_r:home_bin_t:s0).

EXPECTED RESULT
Only single file context set, not multiple conflicting specifications

ANY ADDITIONAL INFORMATION
selinux-policy-2.4.6-327.el5.noarch
selinux-policy-targeted-2.4.6-327.el5.noarch
libsepol-2.0.36-1.el5.art.x86_64 updated from libsepol-1.15.2-3.el5.x86_64 but the errors for both vhost and user home dir bin start before upgrade from stock CentOS 5 libsepol to atomic libsepol.
Correction: The errors start after Plesk was installed, before I thought they started before Plesk installation. To be more precise they start right after a reboot was done after Plesk was installed.

Plesk 10.4.4 was installed while SELinux was turned on. In the past Release Notes instructed to turn SELinux off, but for 10.4 no such warning existed unless I overlooked it - please provide a link to one if it exists.

 

[bluik]

Also these commands can't find the specification for the context:

semanage fcontext -d '/home/[^/]*/bin(/.*)?'
semanage fcontext -d '/var/www/vhosts/example.com/web_users/[^/]*/bin(/.*)?'
semanage fcontext -d '/var/www/vhosts/example.org/web_users/[^/]*/bin(/.*)?'
semanage fcontext -d ' /root/bin(/.*)?'

Example output:

/usr/sbin/semanage: File context for /root/bin\(/.*\)? is not defined

 

[IgorG]

Looks like the same issue - http://forum.parallels.com/showthread.php?t=98357

 

[bluik]

Yes the issue is similar, but of course the problem does not come from qmail module but something else. See at the bottom of the reply for the Plesk-specific part about vhosts/../web_users.

# semodule -l
aisexec 1.0.0
amavis 1.1.0
ccs 1.0.0
clamav 1.1.0
clogd 1.0.0
dcc 1.1.0
dnsmasq 1.1.1
evolution 1.1.0
ipsec 1.4.0
iscsid 1.0.0
mcelog 1.0.0
milter 1.1.1
mozilla 1.1.0
mplayer 1.1.0
nagios 1.1.0
oddjob 1.0.1
pcscd 1.0.0
piranha 1.0.0
plesk 10.13.4
postgrey 1.1.0
prelude 1.0.0
pyzor 1.1.0
qemu 1.1.2
razor 1.1.0
rgmanager 1.0.0
rhcs 1.1.0
rhsmcertd 1.0.0
ricci 1.0.0
smartmon 1.1.0
spamassassin 1.9.0
sssd 1.0.2
vhostmd 1.0.0
virt 1.2.1
zarafa 1.0.0
zosremote 1.0.0

I tried to reload vhostmd module and only got the other set of well-known SELinux errors:

examplecomusr homedir /var/www/vhosts/example.com or its parent directory conflicts with a defined context in /etc/selinux/targeted/contexts/files/file_contexts, /usr/sbin/genhomedircon will not create a new context. This usually indicates an incorrectly defined system account. If it is a system account please make sure its login shell is /sbin/nologin.

Don't know which other module could be the cause for the conflicts. And even if the module was found out - how to change because these modules are in "compiled" form as far as I know. They cannot be edited.

>What makes it more difficult to troubleshoot: only some of the vhosts have the error. Most seem to not have
> this error! I cannot think of anything special about the three vhosts that have this error on
> web_users/[^/]*/bin(/.*)?. So it looks like somehow Plesk creates file contexts on the fly when vhosts are created.
> Is that a correct assumption?

Edit: It seems the two vhosts with errors were the only ones with web_users created in Plesk. If a directory is created under some other vhost's web_users, I cannot see error at least yet. I will try to create a web user with Plesk and see.

 

[bluik]

solved

For anyone else having this problem, solution is to edit:
/etc/selinux/targeted/contexts/files/homedir_template
`genhomedircon` creates the file context specifications based on this file. Plesk edits the template file to add subdirectories of domain directories under /var/www/vhosts; but the problem may have been there before Plesk was installed.

In the case of this server there were two entries like this:

HOME_DIR/bin(/.*)? system_ubject_r:home_bin_t:s0
HOME_DIR/bin(/.*)? system_ubject_r:bin_t:s0

Remove one and run `genhomedircon` and the warnings are gone.

 

[bluik]

It is definitely a bug in Plesk. I had to remove the duplicate line again after making some changes in Plesk.

 

[IgorG]

Please update your initial report with all necessary additional details, workaround, etc. and I will forward it to developers as bugreport. Thank you.

 

[bluik]

Please update your initial report with all necessary additional details, workaround, etc. and I will forward it to developers as bugreport. Thank you.

Thanks Igor. I hope I am correct in the above analysis; everything seems to point to problem at Plesk at the moment.

 

[IgorG]

Ok. I have submitted your request to developers. Let's wait their answer. I will update thread when I receive it.

 

[bluik]

Workaround to keep Plesk from overwriting the file:
`chattr +i /etc/selinux/targeted/contexts/files/homedir_template`
(give immutable attribute to the file so it cannot be modified)