Unable to connect to Plesk for Linux server over FTP: 421 Service not available, remote server has closed connection

Symptoms

• Unable to connect to a Plesk for Linux server over FTP:

  CONFIG_TEXT: 530 Login incorrect.
  Login failed.
  421 Service not available, remote server has closed connection

• SELinux is running in the Enforcing mode:

  # getenforce
  Enforcing

• The following error is found in the file /var/log/messages:

  CONFIG_TEXT: chroot to '/var/www/vhosts/example.com' failed for user 'user': Permission denied
  error: unable to set DefaultRoot directory
  FTP session closed.

• The following error is found in the file var/log/audit/audit.log:

  CONFIG_TEXT: type=AVC msg=audit(1482428585.108:134): avc: denied { net_admin } for pid=2652 comm="in.proftpd" capability=12 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tclass=capability

Cause

SELinux is preventing ProFTPd from using capabilities net_admin.

Resolution

1. Connect to the server using SSH.

2. Install the package setroubleshoot-server:

   # yum install setroubleshoot-server

3. Restart the service auditd:

   # service auditd restart

4. Execute the following command to find sealert UUID:

   # cat /var/log/messages | grep "/usr/sbin/proftpd" | grep 'sealert'
   plesk.example.com setroubleshoot: SELinux is preventing /usr/sbin/proftpd from using the net_admin capability. For complete SELinux messages. run sealert -l 5d0aa9f8-8845-4a4d-8773-25286efb3c7a

5. Execute the command got on the previous step:

   # sealert -l 5d0aa9f8-8845-4a4d-8773-25286efb3c7a
   Plugin catchall (100. confidence) suggests
   You can generate a local policy module to allow this access.
   To allow this access for now by executing:
   ausearch -c 'in.proftpd' --raw | audit2allow -M my-inproftpd
   semodule -i my-inproftpd.pp

6. Follow the recommendation from sealert:

   # ausearch -c 'in.proftpd' --raw | audit2allow -M my-inproftpd
   # semodule -i my-inproftpd.pp