Applicable to:
- Plesk Onyx for Linux
Note: This article has the reference to the issue with the fix available:
-
#PPPM-6338
"On CentOS 7 servers, SELinux module restricted Plesk Update Manager from running rpm package scripts,
which resulted in failure to update certain packages."
Fixed in:- Plesk Onyx 17.5.3 Update 24 02 October 2017 (Linux)
- Plesk Onyx 17.0.17 Update 35 02 October 2017 (Linux)
Symptoms
-
Apache fails to start with the following error:
# service httpd start
Sep 18 05:34:56 example systemd[1]: Starting The Apache HTTP Server...
Sep 18 05:34:57 example httpd[6244]: AH00526: Syntax error on line 62 of /etc/httpd/conf/plesk.conf.d/server.conf:
Sep 18 05:34:57 example httpd[6244]: ModSecurity: Failed to open the audit log file: /var/log/modsec_audit.log
Sep 18 05:34:57 example systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE
Sep 18 05:34:57 example kill[6246]: kill: cannot find process ""
Sep 18 05:34:57 example systemd[1]: httpd.service: control process exited, code=exited status=1
Sep 18 05:34:57 example systemd[1]: Failed to start The Apache HTTP Server.
Sep 18 05:34:57 example systemd[1]: Unit httpd.service entered failed state.
Sep 18 05:34:57 example systemd[1]: httpd.service failed. -
Automatic updates of system packages is enabled in
Home > Tools&Settings > Update and Upgrade Settings
:
- The issue occurs after updating OS to CentOS 7.4
-
SELinux is enabled on the server:
# getenforce
Enforcing -
Other services, like php-fpm, can fail to start due to SELinux policies:
PLESK_INFO: ERROR: unable to bind listening socket for address '/var/www/vhosts/system/example.com/php-fpm.sock': Address already in use (98)
-
In
/var/log/messagesfollowing rows can be found:# less /var/log/messages
httpd: (13)Permission denied: AH00072: make_sock: could not bind to address [::]:7080
httpd: (13)Permission denied: AH00072: make_sock: could not bind to address 0.0.0.0:7080 -
In
/var/log/audit/audit.logthe following information can be seen:# grep denied /var/log/audit/audit.log | audit2why
libsepol.context_from_record: type plesk_deployer_t is not defined
libsepol.context_from_record: could not create context structure
libsepol.context_from_string: could not create context structure
libsepol.sepol_context_to_sid: could not convert system_u:object_r:plesk_deployer_t:s0 to sid
libsepol.context_from_record: type plesk_deployer_t is not defined
libsepol.context_from_record: could not create context structure
libsepol.context_from_string: could not create context structure
libsepol.sepol_context_to_sid: could not convert system_u:object_r:plesk_deployer_t:s0 to sid
type=AVC msg=audit(1493750088.912:261): avc: denied { unlink } for pid=469 comm="nginx" name="nginx.pid" dev="tmpfs" ino=84252 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
Cause
This is a Plesk bug #PPPM-6338 which is fixed in Plesk Onyx 17.5 Update #24 and Plesk Onyx 17.0 Update #35.
Resolution
-
Connect to the server via SSH
-
Set SELinux to Permissive mode:
# setenforce 0
-
Remove
docker-engine-selinuxpackage if it is installed:# yum remove docker-engine-selinux
-
Re-install
selinux-policy-targetedpackage:# yum reinstall selinux-policy-targeted
-
Reinstall
psa-selinuxpackage:# yum reinstall psa-selinux
-
Set SELinux to back Enforced mode:
# setenforce 1
-
Restart Apache:
# service httpd restart
Comments
4 comments
Bug #PPPM-6338 have been fixed in Plesk Onyx 17.5.3 Update 24, Plesk Onyx 17.0.17 Update 35
Bug #PPPM-6338 have been fixed in Plesk Onyx 17.5.3 Update 24, Plesk Onyx 17.0.17 Update 35
Bug #PPPM-6338 have been fixed in Plesk Onyx 17.5.3 Update 24, Plesk Onyx 17.0.17 Update 35
Bug #PPPM-6338 have been fixed in Plesk Onyx 17.5.3 Update 24, Plesk Onyx 17.0.17 Update 35
Please sign in to leave a comment.