Applicable to:
- Plesk Onyx for Linux
Symptoms
-
Apache fails to start with the following error:
# service httpd start
systemd[1]: Starting The Apache HTTP Server...
httpd[6244]: AH00526: Syntax error on line 62 of /etc/httpd/conf/plesk.conf.d/server.conf:
httpd[6244]: ModSecurity: Failed to open the audit log file: /var/log/modsec_audit.log
systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE
kill[6246]: kill: cannot find process ""
systemd[1]: httpd.service: control process exited, code=exited status=1
systemd[1]: Failed to start The Apache HTTP Server.
systemd[1]: Unit httpd.service entered failed state.
systemd[1]: httpd.service failed. -
The Automatically install system package updates is turned on in Plesk > Tools & Settings > Update and Upgrade Settings.
-
The OS was upgraded to CentOS 7.4.
-
SELinux is enabled on the server:
# getenforce
Enforcing -
Other services, like PHP-FPM, can fail to start via Plesk > Tools & Settings > Services Managementdue to the following error:
CONFIG_TEXT: ERROR: unable to bind listening socket for address '/var/www/vhosts/system/example.com/php-fpm.sock': Address already in use (98)
-
The following rows can be found in the
/var/log/messages
file:CONFIG_TEXT: httpd: (13)Permission denied: AH00072: make_sock: could not bind to address [::]:7080
httpd: (13)Permission denied: AH00072: make_sock: could not bind to address 0.0.0.0:7080 -
The next rows appear in the
/var/log/audit/audit.log
file:CONFIG_TEXT: libsepol.context_from_record: type plesk_deployer_t is not defined
libsepol.context_from_record: could not create context structure
libsepol.context_from_string: could not create context structure
libsepol.sepol_context_to_sid: could not convert system_u:object_r:plesk_deployer_t:s0 to sid
libsepol.context_from_record: type plesk_deployer_t is not defined
libsepol.context_from_record: could not create context structure
libsepol.context_from_string: could not create context structure
libsepol.sepol_context_to_sid: could not convert system_u:object_r:plesk_deployer_t:s0 to sid
type=AVC msg=audit(1493750088.912:261): avc: denied { unlink } for pid=469 comm="nginx" name="nginx.pid" dev="tmpfs" ino=84252 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
Cause
Product issue:
- #PPPM-6338 "On CentOS 7 servers, SELinux module restricted Plesk Update Manager from running rpm package scripts, which resulted in failure to update certain packages."
Fixed in:- Plesk Onyx 17.8 17 April 2018 (Linux)
- Plesk Onyx 17.0 02 October 2017 (Linux)
- Plesk Onyx 17.5 02 October 2017 (Linux)
Resolution
Workaround
If update is not possible for some reason you may try the following
Upgrade Plesk to the last version. If the upgrade is not possible the following workaround is applicable:
-
Connect to the server via SSH.
-
Set SELinux to permissive mode:
# setenforce 0
-
Remove the
docker-engine-selinux
package if it is installed:# yum remove docker-engine-selinux
-
Re-install the
selinux-policy-targeted
package:# yum reinstall selinux-policy-targeted
-
Reinstall the
psa-selinux
package:# yum reinstall psa-selinux
-
Switch SELinux back to Enforced mode:
# setenforce 1
-
Restart Apache service:
# service httpd restart
Comments
5 comments
Bug #PPPM-6338 have been fixed in Plesk Onyx 17.5.3 Update 24, Plesk Onyx 17.0.17 Update 35
Bug #PPPM-6338 have been fixed in Plesk Onyx 17.5.3 Update 24, Plesk Onyx 17.0.17 Update 35
Bug #PPPM-6338 have been fixed in Plesk Onyx 17.5.3 Update 24, Plesk Onyx 17.0.17 Update 35
Bug #PPPM-6338 have been fixed in Plesk Onyx 17.5.3 Update 24, Plesk Onyx 17.0.17 Update 35
Bug #PPPM-6338 have been fixed in Plesk Onyx 17.5.3 Update 24, Plesk Onyx 17.0.17 Update 35
Please sign in to leave a comment.