Starting on October 19, 2021, we will enable single-sign-on for our Plesk Support Center to provide a seamless login/account experience. This implies that you’ll be able to use a single account across any of our web-facing properties.
To be prepared for this change and to avoid the need to register during your next ticket submission after the change, we encourage you to create an account here before October 19 using the same email address as your current Zendesk login (support account). It’s essential that you use the same email address on our support center to ensure that your tickets stay attached to the same account. You will continue to use ZenDesk authentication until we switch over to single-sign-on on October 19th.

SELinux is preventing php-fpm from using the block_suspend capability

Follow

Comments

5 comments

  • Avatar
    Unknown User

    This is the kind of careless advice on "security" by plesk that's making me more and more unwilling user of it, every week I find myself writing a systemd path unit, service or like in this case, a custom policy to patch the misguided configuration imposed for your products.

    Rather than making php-fpm daemon an unconfined service through the type bin_t, it should be kept in httpd_t domain. Making this way the PHP daemon an unconfined service bypasses the policies and type enforcement, thus turning it into an insecure service despite the fact having SELinux enabled.

    Instead, a custom policy module should be compiled to give httpd_t just the capability required:

    #================================

    module php-fpm-allow-block-suspend 1.0.0;

    require {
            type httpd_t;
            class capability2 block_suspend;
    }

    #============= httpd_t ==============
    allow httpd_t self:capability2 block_suspend;

     

    1
    Comment actions Permalink
  • Avatar
    Robert Asilbekov (Edited )

    @Jesús Thank you for the feedback, I have updated the article according to your recommendations. I would like to draw your attention to the fact that "/usr/sbin/php-fpm" is shipped by OS vendor, so to fix the issue completely it would be great if you could report the issue to RedHat/CentOS support.

    0
    Comment actions Permalink
  • Avatar
    Unknown User (Edited )

    That's true, however the php binaries under /opt/plesk are provided for you. And the RPMs tag them as bin_t making it unconfined services then introducing lot of vulnerabilities even with SELinux enabled.

    A fix with semanage fcontext is still missing from this article.

    You could use the tip I'm giving in my following tweet:

    https://twitter.com/jefrancomix/status/925388504821006336

    0
    Comment actions Permalink
  • Avatar
    Denis Bykov

    @Jesús Thank you for pointing this out.

    I created a request to Plesk developers based on the provided suggestions. We will update you with results.

    0
    Comment actions Permalink
  • Avatar
    Denis Bykov

    @Jesús Developers confirmed the bug, and I created an article regarding this issue: PHP-FPM daemon set as an unconfined service in Plesk SELinux policies

    0
    Comment actions Permalink

Please sign in to leave a comment.

Have more questions? Submit a request