Unable to login over FTP: 421 Service not available, remote server has closed connection

Symptoms

1. Unable to connect to FTP. The following error is displayed:

   530 Login incorrect.
   Login failed.
   421 Service not available, remote server has closed connection
   

2. SELinux is running in enforcing mode.

3. SELinux policy Plesk component is installed.

4. In /var/log/messages the following error can be seen:

   chroot to '/var/www/vhosts/example.com' failed for user 'user': Permission denied
   error: unable to set DefaultRoot directory
   FTP session closed. 
   

5. In /var/log/audit/audit.log the following error can be seen:

   type=AVC msg=audit(1482428585.108:134): avc:  denied  { net_admin } for  pid=2652 comm="in.proftpd" capability=12  scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tclass=capability
   

Cause

SELinux is preventing Proftpd from using the 'net_admin' capabilities.

Resolution

1. Install setroubleshoot-server package:

   # yum install setroubleshoot-server
   

2. Restart audit daemon.

   # service auditd restart
   

3. Run the following command to find sealert UUID:

   # cat /var/log/messages |grep "/usr/sbin/proftpd" | grep 'sealert'
   
   
   ser129 setroubleshoot: SELinux is preventing /usr/sbin/proftpd from using the net_admin capability. For complete SELinux messages. run sealert -l 5d0aa9f8-8845-4a4d-8773-25286efb3c7a
   

4. Run the command found in previous step:

   # sealert -l 5d0aa9f8-8845-4a4d-8773-25286efb3c7a
   
   Plugin catchall (100. confidence) suggests
   
   You can generate a local policy module to allow this access.
   
   To allow this access for now by executing:
   
   ausearch -c 'in.proftpd' --raw | audit2allow -M my-inproftpd
   
   semodule -i my-inproftpd.pp
   

5. Follow the instructions from previous step to solve the issue:

   # ausearch -c 'in.proftpd' --raw | audit2allow -M my-inproftpd
   
   # semodule -i my-inproftpd.pp