Applicable to:
- Plesk for Linux
Symptoms
-
An entire website does not work or images for newly uploaded posts could not be displayed:
CONFIG_TEXT: 403 Forbidden
-
SELinux policy is in enforcing state:
# getenforce
Enforcing -
psa-selinuxpackage may be absent. The command below returns nothing:# rpm -qa | grep psa-selinux
-
Errors like below may be found in
/var/www/vhosts/system/example.com/logs/error_log:PLESK_INFO: [core:error] [pid 26162:tid 140174260410112] (13)Permission denied: [client 203.0.113.2:37894] AH00035: access to /favicon.ico denied (filesystem path '/var/www/vhosts/example.com/httpdocs/favicon.ico') because search permissions are missing on a component of the path, referer: http://example.com/wp-login.php
-
audit2allowshows the following info:PLESK_INFO: type=AVC msg=audit(1520785969.954:4592): avc: denied { getattr } for pid=26162 comm="httpd" path="/var/www/vhosts/example.com/httpdocs/favicon.ico" dev="sda2" ino=2229363 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
Cause
Invalid SELinux security context. For example, SELinux security contexts for the uploaded images can show:
# ls -Z /var/www/vhosts/example.com/httpdocs/wp-content/uploads/image.jpg
system_u:object_r:initrc_tmp_t:s0 /var/www/vhosts/example.com/httpdocs/wp-content/uploads/image.jpg
Resolution
-
Connect to the server through SSH;
-
Install
psa-selinuxpackage if it is missing:# yum install psa-selinux
-
Restore broken SELinux security contexts for the affected website files:
# restorecon -R /var/www/vhosts/example.com/httpdocs/
Comments
Please sign in to leave a comment.