Roundcube file_put_contents(/var/log/plesk-roundcube/errors): failed to open stream

Symptoms

• Plesk Onyx 17.8 is installed on CentOS, RedHat or CloudLinux;

• When Roundcube webmail is used, the following errors are written to the /var/log/httpd/error_log:

  CONFIG_TEXT: mod_fcgid: stderr: PHP Warning: file_put_contents(/var/log/plesk-roundcube/errors): failed to open stream: Permission denied in /usr/share/psa-roundcube/program/lib/Roundcube/rcube.php on line 1259, referer: http://webmail.example.com/

• SELinux is in 'Enforced' state:

  # getenforce
  Enforcing

• SELinux security context for the /var/log/plesk-roundcube/sendmail is:

  # ls -lZ /var/log/plesk-roundcube/sendmail
  -rw-r-----. roundcube_sysuser roundcube_sysgroup system_u:object_r:cron_log_t:s0

• /var/log/audit/audit.log contains thу following error message:

  CONFIG_TEXT: audit(1521791921.029:461): avc: denied { open } for pid=9978 comm="php-cgi" path="/var/log/plesk-roundcube/sendmail" dev="sda2" ino=1286680 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:cron_log_t:s0 tclass=file

Cause

Incorrect security context type cron_log_t set to Roundcube log files, the correct one is var_log_t.

It is a Plesk bug with ID #PPP-35816, which is considered to be fixed in one of the next Plesk updates.

Resolution

1. Connect to the server through SSH

2. Execute the commands below to set valid SELinux type (var_log_t):

   # semanage fcontext -a -t var_log_t /var/log/plesk-roundcube/sendmail
   # semanage fcontext -a -t var_log_t /var/log/plesk-roundcube/errors
   # restorecon -R /var/log/plesk-roundcube/

3. Verify that changes were applied properly:

   # ls -lZ /var/log/plesk-roundcube/sendmail
   -rw-r-----. roundcube_sysuser roundcube_sysgroup system_u:object_r:var_log_t:s0

   # ls -lZ /var/log/plesk-roundcube/errors
   -rw-r-----. roundcube_sysuser roundcube_sysgroup system_u:object_r:var_log_t:s0