Applicable to:
- Plesk Onyx for Linux
Note: This article has the reference to the issue with the fix available:
- #PPPM-6338 "On CentOS 7 servers, SELinux module restricted Plesk Update Manager from running rpm package scripts,
which resulted in failure to update certain packages."
Fixed in:- Plesk Onyx 17.5.3 Update 24 02 October 2017 (Linux)
- Plesk Onyx 17.0.17 Update 35 02 October 2017 (Linux)
Symptoms
-
Apache fails to start with the following error:
# service httpd start
systemd[1]: Starting The Apache HTTP Server...
httpd[6244]: AH00526: Syntax error on line 62 of /etc/httpd/conf/plesk.conf.d/server.conf:
httpd[6244]: ModSecurity: Failed to open the audit log file: /var/log/modsec_audit.log
systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE
kill[6246]: kill: cannot find process ""
systemd[1]: httpd.service: control process exited, code=exited status=1
systemd[1]: Failed to start The Apache HTTP Server.
systemd[1]: Unit httpd.service entered failed state.
systemd[1]: httpd.service failed. -
The Automatically install system package updates is turned on in Plesk > Tools & Settings > Update and Upgrade Settings.
-
The OS was upgraded to CentOS 7.4.
-
SELinux is enabled on the server:
# getenforce
Enforcing -
Other services, like PHP-FPM, can fail to start via Plesk > Tools & Settings > Services Managementdue to the following error:
CONFIG_TEXT: ERROR: unable to bind listening socket for address '/var/www/vhosts/system/example.com/php-fpm.sock': Address already in use (98)
-
The following rows can be found in the
/var/log/messagesfile:CONFIG_TEXT: httpd: (13)Permission denied: AH00072: make_sock: could not bind to address [::]:7080
httpd: (13)Permission denied: AH00072: make_sock: could not bind to address 0.0.0.0:7080 -
The next rows appear in the
/var/log/audit/audit.logfile:CONFIG_TEXT: libsepol.context_from_record: type plesk_deployer_t is not defined
libsepol.context_from_record: could not create context structure
libsepol.context_from_string: could not create context structure
libsepol.sepol_context_to_sid: could not convert system_u:object_r:plesk_deployer_t:s0 to sid
libsepol.context_from_record: type plesk_deployer_t is not defined
libsepol.context_from_record: could not create context structure
libsepol.context_from_string: could not create context structure
libsepol.sepol_context_to_sid: could not convert system_u:object_r:plesk_deployer_t:s0 to sid
type=AVC msg=audit(1493750088.912:261): avc: denied { unlink } for pid=469 comm="nginx" name="nginx.pid" dev="tmpfs" ino=84252 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
Cause
This is a Plesk bug #PPPM-6338 which was fixed in Plesk Onyx 17.5 Update #24 and Plesk Onyx 17.0 Update #35.
Resolution
-
Connect to the server via SSH.
-
Set SELinux to permissive mode:
# setenforce 0
-
Remove the
docker-engine-selinuxpackage if it is installed:# yum remove docker-engine-selinux
-
Re-install the
selinux-policy-targetedpackage:# yum reinstall selinux-policy-targeted
-
Reinstall the
psa-selinuxpackage:# yum reinstall psa-selinux
-
Switch SELinux back to Enforced mode:
# setenforce 1
-
Restart Apache service:
# service httpd restart
Comments
5 comments
Bug #PPPM-6338 have been fixed in Plesk Onyx 17.5.3 Update 24, Plesk Onyx 17.0.17 Update 35
Bug #PPPM-6338 have been fixed in Plesk Onyx 17.5.3 Update 24, Plesk Onyx 17.0.17 Update 35
Bug #PPPM-6338 have been fixed in Plesk Onyx 17.5.3 Update 24, Plesk Onyx 17.0.17 Update 35
Bug #PPPM-6338 have been fixed in Plesk Onyx 17.5.3 Update 24, Plesk Onyx 17.0.17 Update 35
Bug #PPPM-6338 have been fixed in Plesk Onyx 17.5.3 Update 24, Plesk Onyx 17.0.17 Update 35
Please sign in to leave a comment.