• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

SELinux, PAM, ProFTPd and Plesk

InsertCoin

Basic Pleskian
Been investigating a problem on a server and the issue appears to stem from SELinux.

The initial fault was when trying to login you got the following error:

Code:
Status:    Connecting to xxx.xxx.xxx.xxx:21...
Status:    Connection established, waiting for welcome message...
Response:    220 ProFTPD 1.3.5 Server (ProFTPD) [xxx.xxx.xxx.xxx]
Command:    USER xxx
Response:    331 Password required for hpcds
Command:    PASS ********
Response:    530 Login incorrect.
Error:    Critical error
Error:    Could not connect to server

Looking at the messages log it gave:

Code:
Nov 20 13:45:39 server1 xinetd[17152]: START: ftp pid=54513 from=::ffff:xxx.xxx.xxx.xxx
Nov 20 13:45:39 server1 proftpd[54513]: processing configuration directory '/etc/proftpd.d'
Nov 20 13:45:39 server1 proftpd[54513]: 127.0.0.1 (xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]) - mod_delay/0.7: unable to open DelayTable '/var/proftpd.delay': No such file or directory
Nov 20 13:45:39 server1 proftpd[54513]: 127.0.0.1 (xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]) - FTP session opened.
Nov 20 13:45:39 server1 proftpd[54513]: 127.0.0.1 (xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]) - FTP session closed.
Nov 20 13:45:39 server1 xinetd[17152]: EXIT: ftp status=0 pid=54513 duration=0(sec)

The '/var/proftpd.delay' delay error has a Parallels KB related to it: http://kb.odin.com/en/121424 Did this and that error then stopped, but still not able to login.

Looking at the audit.log

Code:
type=AVC msg=audit(1416431439.740:42792): avc:  denied  { write } for  pid=48672 comm="in.proftpd" name="var" dev=md1 ino=4849665 scontext=unconfined_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_t:s0 tclass=dir
type=SYSCALL msg=audit(1416431439.740:42792): arch=c000003e syscall=2 success=no exit=-13 a0=4a1c8e a1=42 a2=1b6 a3=220 items=0 ppid=17152 pid=48672 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=5 comm="in.proftpd" exe="/usr/sbin/proftpd" subj=unconfined_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)
type=USER_AUTH msg=audit(1416472793.507:43546): user pid=52657 uid=0 auid=0 ses=5 subj=unconfined_u:system_r:ftpd_t:s0-s0:c0.c1023 msg='op=PAM:authentication acct="hpcds" exe="/usr/sbin/proftpd" hostname=xxx.xxx.xxx.xxx addr=xxx.xxx.xxx.xxx terminal=/dev/ftpd52657 res=failed'

Generated a new policy:

Code:
module proftpd 1.0;

require {
        type ftpd_t;
        type httpd_sys_content_t;
        type var_t;
        class file { read write getattr open lock };
        class dir { read write };
}

#============= ftpd_t ==============

#!!!! This avc is allowed in the current policy
allow ftpd_t httpd_sys_content_t:dir read;

#!!!! This avc is allowed in the current policy
allow ftpd_t var_t:dir write;

#!!!! This avc is allowed in the current policy
allow ftpd_t var_t:file { read write getattr open lock };

Still failing, however instead of the large number of audit errors it now only gives:

Code:
type=USER_AUTH msg=audit(1416496774.953:44264): user pid=6922 uid=0 auid=0 ses=3707 
subj=unconfined_u:system_r:ftpd_t:s0-s0:c0.c1023 msg='op=PAM:authentication acct="hpcds" exe="/usr/sbin/proftpd" hostname=xxx.xxx.xxx.xxx addr=xxx.xxx.xxx.xxx terminal=/dev/ftpd6922 res=failed'

Ive ran the bootstrapper to reload the SELinux Contexts also to no avail.

Any ideas on how to tackle this one?

Here are the SELinux Modules:

Code:
abrt_anon_write --> off
abrt_handle_event --> off
allow_console_login --> on
allow_cvs_read_shadow --> off
allow_daemons_dump_core --> on
allow_daemons_use_tcp_wrapper --> off
allow_daemons_use_tty --> on
allow_domain_fd_use --> on
allow_execheap --> off
allow_execmem --> on
allow_execmod --> on
allow_execstack --> on
allow_ftpd_anon_write --> off
allow_ftpd_full_access --> on
allow_ftpd_use_cifs --> off
allow_ftpd_use_nfs --> off
allow_gssd_read_tmp --> on
allow_guest_exec_content --> off
allow_httpd_anon_write --> off
allow_httpd_mod_auth_ntlm_winbind --> off
allow_httpd_mod_auth_pam --> on
allow_httpd_sys_script_anon_write --> off
allow_java_execstack --> off
allow_kerberos --> on
allow_mount_anyfile --> on
allow_mplayer_execstack --> off
allow_nsplugin_execmem --> on
allow_polyinstantiation --> off
allow_postfix_local_write_mail_spool --> on
allow_ptrace --> off
allow_rsync_anon_write --> off
allow_saslauthd_read_shadow --> off
allow_smbd_anon_write --> off
allow_ssh_keysign --> off
allow_staff_exec_content --> on
allow_sysadm_exec_content --> on
allow_unconfined_nsplugin_transition --> off
allow_user_exec_content --> on
allow_user_mysql_connect --> off
allow_user_postgresql_connect --> off
allow_write_xshm --> off
allow_xguest_exec_content --> off
allow_xserver_execmem --> off
allow_ypbind --> off
allow_zebra_write_config --> on
antivirus_can_scan_system --> off
antivirus_use_jit --> off
authlogin_radius --> off
authlogin_shadow --> off
awstats_purge_apache_log_files --> off
cdrecord_read_content --> off
cluster_can_network_connect --> off
cluster_manage_all_files --> on
cluster_use_execmem --> off
cobbler_anon_write --> off
cobbler_can_network_connect --> off
cobbler_use_cifs --> off
cobbler_use_nfs --> off
collectd_tcp_network_connect --> off
condor_domain_can_network_connect --> off
cron_can_relabel --> off
daemons_enable_cluster_mode --> on
dhcpc_exec_iptables --> off
domain_kernel_load_modules --> off
exim_can_connect_db --> off
exim_manage_user_files --> off
exim_read_user_files --> off
fcron_crond --> off
fenced_can_network_connect --> off
fenced_can_ssh --> off
fips_mode --> on
ftp_home_dir --> on
ftpd_connect_db --> on
ftpd_use_fusefs --> off
ftpd_use_passive_mode --> off
git_cgi_enable_homedirs --> off
git_cgi_use_cifs --> off
git_cgi_use_nfs --> off
git_session_bind_all_unreserved_ports --> off
git_session_users --> off
git_system_enable_homedirs --> off
git_system_use_cifs --> off
git_system_use_nfs --> off
global_ssp --> off
gluster_anon_write --> off
gluster_export_all_ro --> off
gluster_export_all_rw --> on
gpg_agent_env_file --> off
gpg_web_anon_write --> off
httpd_builtin_scripting --> on
httpd_can_check_spam --> off
httpd_can_network_connect --> on
httpd_can_network_connect_cobbler --> off
httpd_can_network_connect_db --> on
httpd_can_network_memcache --> off
httpd_can_network_relay --> on
httpd_can_sendmail --> on
httpd_dbus_avahi --> on
httpd_dbus_sssd --> off
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> on
httpd_execmem --> off
httpd_manage_ipa --> off
httpd_read_user_content --> off
httpd_run_preupgrade --> off
httpd_run_stickshift --> off
httpd_serve_cobbler_files --> off
httpd_setrlimit --> off
httpd_ssi_exec --> off
httpd_tmp_exec --> off
httpd_tty_comm --> on
httpd_unified --> on
httpd_use_cifs --> off
httpd_use_fusefs --> off
httpd_use_gpg --> off
httpd_use_nfs --> off
httpd_use_openstack --> off
httpd_verify_dns --> off
icecast_connect_any --> off
init_upstart --> on
irssi_use_full_network --> off
kdumpgui_run_bootloader --> off
logging_syslog_can_read_tmp --> off
logging_syslogd_can_sendmail --> off
logging_syslogd_use_tty --> on
logrotate_use_nfs --> off
lsmd_plugin_connect_any --> off
mcelog_foreground --> off
mmap_low_allowed --> off
mozilla_read_content --> off
mysql_connect_any --> off
named_bind_http_port --> off
named_write_master_zones --> off
ncftool_read_user_content --> off
nscd_use_shm --> on
nsplugin_can_network --> on
openshift_use_nfs --> off
openvpn_enable_homedirs --> on
openvpn_run_unconfined --> off
pcp_bind_all_unreserved_ports --> off
piranha_lvs_can_network_connect --> off
postgresql_can_rsync --> off
pppd_can_insmod --> off
pppd_for_user --> off
privoxy_connect_any --> on
puppet_manage_all_files --> off
puppetmaster_use_db --> off
qemu_full_network --> on
qemu_use_cifs --> on
qemu_use_comm --> off
qemu_use_nfs --> on
qemu_use_usb --> on
racoon_read_shadow --> off
rsync_client --> off
rsync_export_all_ro --> off
rsync_use_cifs --> off
rsync_use_nfs --> off
samba_create_home_dirs --> off
samba_domain_controller --> off
samba_enable_home_dirs --> off
samba_export_all_ro --> off
samba_export_all_rw --> off
samba_portmapper --> off
samba_run_unconfined --> off
samba_share_fusefs --> off
samba_share_nfs --> off
sanlock_use_fusefs --> off
sanlock_use_nfs --> off
sanlock_use_samba --> off
secure_mode --> off
secure_mode_insmod --> off
secure_mode_policyload --> off
sepgsql_enable_users_ddl --> on
sepgsql_unconfined_dbadm --> on
sge_domain_can_network_connect --> off
sge_use_nfs --> off
smartmon_3ware --> off
spamassassin_can_network --> off
spamd_enable_home_dirs --> on
squid_connect_any --> on
squid_use_tproxy --> off
ssh_chroot_full_access --> off
ssh_chroot_manage_apache_content --> off
ssh_chroot_rw_homedirs --> off
ssh_sysadm_login --> off
swift_can_network --> off
telepathy_tcp_connect_generic_network_ports --> off
tftp_anon_write --> off
tftp_use_cifs --> off
tftp_use_nfs --> off
tor_bind_all_unreserved_ports --> off
unconfined_login --> on
unconfined_mmap_zero_ignore --> off
unconfined_mozilla_plugin_transition --> off
use_fusefs_home_dirs --> off
use_lpd_server --> off
use_nfs_home_dirs --> on
use_samba_home_dirs --> off
user_direct_dri --> on
user_direct_mouse --> off
user_ping --> on
user_rw_noexattrfile --> on
user_setrlimit --> on
user_tcp_server --> off
user_ttyfile_stat --> off
varnishd_connect_any --> off
vbetool_mmap_zero_ignore --> off
virt_use_comm --> off
virt_use_execmem --> off
virt_use_fusefs --> off
virt_use_nfs --> off
virt_use_samba --> off
virt_use_sanlock --> off
virt_use_sysfs --> on
virt_use_usb --> on
virt_use_xserver --> off
webadm_manage_user_files --> off
webadm_read_user_files --> off
wine_mmap_zero_ignore --> off
xdm_exec_bootloader --> off
xdm_sysadm_login --> off
xen_use_nfs --> off
xguest_connect_network --> on
xguest_mount_media --> on
xguest_use_bluetooth --> on
xserver_object_manager --> off
zabbix_can_network --> off

Plesk 12
CentOS 6.6

Brand new install of Plesk
 
Hello InsertCoin,

I ran into the same issue.

SELinux devs can mark some policy rules as "dontaudit" to prevent logspam in audit.log, which is the reason why you probably didn't find additional log rules about this particular SELinux incompatibility. You won't need to disable SELinux as suggested by IgorG if you proceed with the following steps:
  1. Temporarily disable SELinux enforcement by executing:
    Code:
    setenforce 0
  2. Temporarily disable dontaudit rules by executing:
    Code:
    semodule -DB
    (-D for disable dontaudit rules, -B for rebuild the policy)
  3. Log in using your FTP account, which should now work.
  4. Generate the policy using the following command:
    Code:
    grep in.proftpd /var/log/audit/audit.log|audit2allow -M psa-selinux-proftpd
  5. Load the new module:
    Code:
    semodule -i psa-selinux-proftpd.pp
  6. Rebuild the policy to turn off logging dontaudit rules:
    Code:
    semodule -B
  7. Re-enable SELinux:
    Code:
    setenforce 1
  8. Check logging into FTP still works. (Which it should)
The above methode supplied me with the following .te SELinux module:
Code:
module psa-selinux-proftpd 1.0;

require {
        type ftpd_t;
        type shadow_t;
        class file { read getattr open };
}

#============= ftpd_t ==============
allow ftpd_t shadow_t:file { read getattr open };

Hope this helps you and I hope Parallels will provide SELinux support in the future.
 
Thanks for your post Niek, this does indeed allow FTP access but you would still be unable to upload, edit, move, rename files via FTP.

For others you can either, perform all the required commands with selinux off, and then follow Niek instructions, you should then end up with a policy as follows:

Code:
module psa-proftpd 1.0;

require {
        type ftpd_t;
        type httpd_sys_content_t;
        type var_t;
        type shadow_t;
        class dir { rename setattr read create write rmdir remove_name add_name };
        class file { rename setattr read lock create write getattr unlink open };
}

#============= ftpd_t ==============

#!!!! This avc is allowed in the current policy
allow ftpd_t httpd_sys_content_t:dir { rename setattr read create write rmdir remove_name add_name };

#!!!! This avc can be allowed using the boolean 'allow_ftpd_full_access'
allow ftpd_t httpd_sys_content_t:file create;

#!!!! This avc is allowed in the current policy
allow ftpd_t httpd_sys_content_t:file { rename write getattr setattr unlink open };

#!!!! This avc is allowed in the current policy
allow ftpd_t shadow_t:file { read getattr open };

#!!!! This avc is allowed in the current policy
allow ftpd_t var_t:file { read write getattr open lock };

Alternatively the majority of these can be enabled by running the commands:

Code:
getsebool -a | grep ftp

If allow_ftpd_full_access is set to "off" you can enable it with:

Code:
setsebool -P allow_ftpd_full_access on

And then check its enabled.
Code:
getsebool -a | grep ftp

This should now allow ftpd full access.
 
Hi InsertCoin, I forgot to mention that boolean. We enable it by default and only needed the custom policy to enable logins. The boolean should take care of the rest (see the !!!! comments above the directives? That should indicate it's already allowed, due to the boolean being true I'm guessing). But I haven't verified it. :)
 
Back
Top