• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

unable to open TransferLog '/var/log/plesk/xferlog': Permission denied

HostaHost

Regular Pleskian
Feb 24 12:19:03 server proftpd[1574]: 192.0.2.1 - unable to open TransferLog '/var/log/plesk/xferlog': Permission denied

I'm running into that on Plesk 12 on CentOS 7 with selinux enabled. Audit log confirms this is an selinux issue:

type=AVC msg=audit(1456334343.451:542779): avc: denied { open } for pid=1574 comm="in.proftpd" path="/var/log/plesk/xferlog" dev="dm-2" ino=89963 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:eek:bject_r:cron_log_t:s0 tclass=file

I know Parallels/Odin/Plesk's preferred solution to any issue involving selinux is turn selinux off, but does anyone have an alternative solution, such as creating a custom policy module or turning off selinux on a specific binary (I assume /usr/sbin/in.proftpd)? Anyone have a useful command or module for this config already?

I tried: semanage fcontext -a -t bin_t "/usr/sbin/in.proftpd"

which fixes the broken plesk migration tool on Plesk 12 servers, but didn't seem to change things.
 
Here's how you work around this in case anyone else has the same issue.

  1. The error must have occurred before beginning, so ftps in, transfer a file, log out.
  2. Run ausearch -m avc | grep -B 2 xferlog
  3. That will give you a bunch of the failure alerts, along with the human readable date and time stamp from the entries, which you need.
  4. If you see more than one audit entry for a given timestamp, ignore it and find one that is unique.
  5. Once you have a unique timestamp where only the one failure we care about has occurred, run: ausearch -m avc -ts 13:53:17 | audit2allow -m in.proftpd > proftpd.te
  6. The above will have given you a plain text selinux policy. The important part of the above is the fact that a version is coded into it and will default to 1.0. If at some point in the future, on any server that will have had this selinux module loaded, if changes are needed, the version must be incremented, even if producing a new module template with these same methods.
  7. Run the selinux module compiler against your plain text file: checkmodule -M -m -o proftpd.mod proftpd.te
  8. Run the module packager to turn the binary policy statements into an installable module. The only reason for this step is because some packages need ancillary files to go with the policy module, so it seems redundant when you're just using one file and turning it into yet another file: semodule_package -o proftpd.pp -m proftpd.mod
  9. Install the module into the active selinux: semodule -i proftpd.pp
 
The security context of the xferlog is not correct:
-rw-r-----. 1 system_u:eek:bject_r:cron_log_t:s0 root root 0 May 3 03:07 xferlog

Should be:
-rw-r-----. 1 system_u:eek:bject_r:var_log_t:s0 root root 22279 May 3 19:05 xferlog

Run /sbin/restorecon /var/log/plesk/xferlog

Only problem is that security context is overwritten probably by updates.
 
Back
Top