Applicable to:
- Plesk for Linux
Symptoms
-
Users encounter an error when attempting to block an IP address using Fail2Ban in Plesk. The error message states:
ERROR:__main__Command ['set', 'plesk-one-week-ban', 'banip', '203.0.112.1'] failed with error UnknownJailException('plesk-one-week-ban').
-
Reloading fail2ban gives a permission error.
# fail2ban-client reload
2024-12-05 16:11:12,990 fail2ban [3005163]: ERROR NOK: (13, 'Permission denied')
[Errno 13] Permission denied: '/var/www/vhosts/system/example.com/logs/error_log' -
SELinux context of file seen in error above is
httpd_sys_content
instead of the correct one,httpd_log_t
:# ls -Z /var/www/vhosts/system/example.com/logs/error_log
system_u:object_r:httpd_sys_content_t:s0 /var/www/vhosts/system/example.com/logs/error_log -
Audit log file
/var/log/audit/audit.log
shows a denied request regarding fail2ban-server:# egrep "fail2ban-server" /var/log/audit/audit.log | grep denied
type=AVC msg=audit(1733411472.982:1927101): avc: denied { read } for pid=2373127 comm="fail2ban-server" name="error_log" dev="sda1" ino=230808319 scontext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file permissive=0
Cause
The issue is caused by incorrect SELinux context for the log files that Fail2Ban needs to access.
Resolution
-
Connect to the server via SSH
-
Remove currently installed psa-selinux package via Plesk installer:
# plesk installer --select-product-id plesk --select-release-current --remove-component selinux
-
Reinstall currently installed psa-selinux package via Plesk installer
# plesk installer --select-product-id plesk --select-release-current --install-component selinux
-
Check again context of affected file, it should look like this:
# ls -Z /var/www/vhosts/system/example.com/logs/error_log
system_u:object_r:httpd_log_t:s0 /var/www/vhosts/system/example.com/logs/error_log
Comments
0 comments
Please sign in to leave a comment.