unable to open TransferLog '/var/log/plesk/xferlog': Permission denied

[HostaHost]

Feb 24 12:19:03 server proftpd[1574]: 192.0.2.1 - unable to open TransferLog '/var/log/plesk/xferlog': Permission denied

I'm running into that on Plesk 12 on CentOS 7 with selinux enabled. Audit log confirms this is an selinux issue:

type=AVC msg=audit(1456334343.451:542779): avc: denied { open } for pid=1574 comm="in.proftpd" path="/var/log/plesk/xferlog" dev="dm-2" ino=89963 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_ubject_r:cron_log_t:s0 tclass=file

I know Parallels/Odin/Plesk's preferred solution to any issue involving selinux is turn selinux off, but does anyone have an alternative solution, such as creating a custom policy module or turning off selinux on a specific binary (I assume /usr/sbin/in.proftpd)? Anyone have a useful command or module for this config already?

I tried: semanage fcontext -a -t bin_t "/usr/sbin/in.proftpd"

which fixes the broken plesk migration tool on Plesk 12 servers, but didn't seem to change things.

 

[HostaHost]

Here's how you work around this in case anyone else has the same issue.

1. The error must have occurred before beginning, so ftps in, transfer a file, log out.
2. Run ausearch -m avc | grep -B 2 xferlog
3. That will give you a bunch of the failure alerts, along with the human readable date and time stamp from the entries, which you need.
4. If you see more than one audit entry for a given timestamp, ignore it and find one that is unique.
5. Once you have a unique timestamp where only the one failure we care about has occurred, run: ausearch -m avc -ts 13:53:17 | audit2allow -m in.proftpd > proftpd.te
6. The above will have given you a plain text selinux policy. The important part of the above is the fact that a version is coded into it and will default to 1.0. If at some point in the future, on any server that will have had this selinux module loaded, if changes are needed, the version must be incremented, even if producing a new module template with these same methods.
7. Run the selinux module compiler against your plain text file: checkmodule -M -m -o proftpd.mod proftpd.te
8. Run the module packager to turn the binary policy statements into an installable module. The only reason for this step is because some packages need ancillary files to go with the policy module, so it seems redundant when you're just using one file and turning it into yet another file: semodule_package -o proftpd.pp -m proftpd.mod
9. Install the module into the active selinux: semodule -i proftpd.pp

 

[wwwAndries]

The security context of the xferlog is not correct:
-rw-r-----. 1 system_ubject_r:cron_log_t:s0 root root 0 May 3 03:07 xferlog

Should be:
-rw-r-----. 1 system_ubject_r:var_log_t:s0 root root 22279 May 3 19:05 xferlog

Run /sbin/restorecon /var/log/plesk/xferlog

Only problem is that security context is overwritten probably by updates.