All websites are down after changing virtual hosts' location when SELinux in the enforcing mode

Symptoms

• Unable to start Apache or create a new domain due to the following error in Plesk:

  PLESK_ERROR: Unable to start service: Unable to manage service by apache_control_adapter: ('start', 'web'). Error: INFO: Service: httpd, Action: start Trying to start service httpd... failed example.com systemd[1]: Starting The Apache HTTP Server... example.com httpd[17151]: httpd: Syntax error on line 353 of /etc/httpd/conf/httpd.conf: Syntax error on line 7 of /etc/httpd/conf.d/zz010_psa_httpd.conf: Could not open configuration file /etc/httpd/conf/plesk.conf.d/vhosts/example.com.conf: Permission denied example.com systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE example.com kill[17153]: kill: cannot find process "" example.com systemd[1]: httpd.service: control process exited, code=exited status=1 example.com systemd[1]: Failed to start The Apache HTTP Server. example.com systemd[1]: Unit httpd.service entered failed state. example.com systemd[1]: httpd.service failed. WARNING! Some problems are found during start service httpd(see log file: /var/log/plesk/rc_actions.log) Continue... /usr/local/psa/admin/sbin/pleskrc execution failed: Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details.

• Default Apache page is shown on all websites.

• When the below command is executed, the output differs from the provided one:

  # cat /etc/psa/psa.conf | grep VHOSTS
  
  HTTPD_VHOSTS_D /var/www/vhosts

• Vhosts location was changed according to the next article:

  How to change virtual hosts location in Plesk for Linux?

• SELinux is in enforcing mode:

  # getenforce
  
  enforcing

• The following rows can be found in the /var/log/audit/audit.log file:

  CONFIG_TEXT: type=AVC msg=audit(1497589270.824:43672): avc: denied
  { read } for pid=24968 comm="/usr/sbin/httpd" name=".htaccess" dev="vda1" ino=26584342 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file

• The next rows can be found in the /var/log/messages file:

  CONFIG_TEXT: pod8 python: SELinux is preventing fail2ban-server from search access on the directory /home/vhosts/system.#012#012**** Plugin catchall (100. confidence) suggests *************************#012#012If you believe that fail2ban-server should be allowed search access on the system directory by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'fail2ban-server' --raw | audit2allow -M my-fail2banserver#012# semodule -i my-fail2banserver.pp#012

Cause

Plesk Onyx with SELinux enabled does not support custom vhosts directory.

This is the bug PPPM-6521 which will be fixed in future product updates.

Resolution

Apply one of the following solutions:

• Disable SELinux

  Note: this solution disables SELinux until the server reboot only.
  
  To disable it permanently, apply the steps from the article.

  1. Connect to the server via SSH.

  2. Temporarily disable SELinux:

     # setenforce 0

  3. Start Nginx and Apache services:

     # service nginx restart
     # service httpd restart

• Change vhosts folder back to the default one

  The default location of the vhosts folder is /var/www/vhosts.

  1. Connect to the server via SSH.

  2. Temporarily disable SELinux:

     # setenforce 0

  3. Change the vhosts folder to the /var/www/vhosts default one according to the next article:

     How to change virtual hosts location in Plesk for Linux?

  4. Enable SELinux back:

     # setenforce 1