Back to Changelog
v1.0.255
Consolidated release covering RHEL-family Plesk migration fixes, Apache systemd hardening, AppArmor system-wide profile management, AppArmor mode control and kernel unload, and migration adapter improvements for 5 control panels with Legacy PHP Docker runtime builder.
New Features
9- New endpoint GET /api/v1/apparmor/all-profiles — returns all kernel-loaded AppArmor profiles (100+) with category breakdown (panelica/php-fpm/snap/docker/container/system/other), mode filter, and search support. Read-only; does not affect existing DB-managed profile workflow
- New endpoint GET /api/v1/apparmor/settings/info — returns AppArmor service status, cache size, profile counts, and last reload time
- New endpoint POST /api/v1/apparmor/settings/reload-all — reloads all /etc/apparmor.d/* profiles via apparmor_parser -r --write-cache
- New endpoint POST /api/v1/apparmor/settings/clear-cache — clears /var/cache/apparmor/ profile cache
- New endpoint POST /api/v1/apparmor/settings/bulk-mode — applies enforce/complain/disabled mode to all Panelica-managed profiles in bulk (Snap, Docker, and system profiles are excluded)
- New endpoint POST /api/v1/apparmor/settings/clear-events — removes all AppArmor event records from the database
- New endpoint POST /api/v1/apparmor/settings/service — enables or disables the AppArmor systemd service
- Added POST /api/v1/apparmor/all-profiles/set-mode endpoint (ROOT-only) supporting enforce, complain, and disabled modes for snap, docker, system, and Panelica-managed profiles
- Legacy PHP runtime builder: Docker-based isolated build pipeline for PHP 5.6 through 7.4
Improvements
11- rsync flags extended with --xattrs --acls for RHEL sources; post-transfer restorecon -R applied on RHEL targets to restore SELinux contexts
- Source OS detection (/etc/os-release) now populated on every migration run, not only on first connect
- All new AppArmor settings endpoints are ROOT-only and protected by RBAC
- is_editable field in GET /apparmor/all-profiles response is now always true for all profile types, enabling uniform mode control across the UI
- Disabled mode correctly unloads the profile from the kernel via apparmor_parser -R, while enforce and complain reload via -r and -rC respectively
- DB-managed profiles have their mode field synced to the database on mode change; system cache is invalidated after each operation
- Disable path now: stop service + unload all profiles from /etc/apparmor.d and /var/lib/snapd/apparmor/profiles
- Enable path now: start service + reload all profiles back into the kernel (no reboot required)
- AppArmor profile and cron service configuration refinements
- Postfix and Dovecot configuration updates for improved mail handling
- i18n 31-language key parity enforcement with automated drift detection
Bug Fixes
16- Plesk source migration: SSL certificates now read from psa.certificates BLOB instead of hash-named files, fixing cert import on RHEL-based Plesk hosts
- DNS zone records (A/MX/TXT/SPF/DKIM/DMARC/CNAME) imported via new BIND parser step, preventing silent DNS gaps on RHEL sources
- Mail password decryption switched from xxd to POSIX od -An -tx1 so RHEL minimal installs no longer fall back to regenerated passwords
- Fixed plesk bin mail --list syntax (parameter-less command, Go-side domain filter) for RHEL Plesk 18.x compatibility
- Corrected Plesk domains-hosting-sys_users JOIN that was cross-mapping domain owners, causing wrong user assignments during migration
- Maildir ownership now uses system_users.SystemUID/GID with mode 700 instead of hardcoded values
- Apache systemd service: StartLimitIntervalSec and StartLimitBurst moved from [Service] to [Unit] section for systemd 248+ compatibility (Ubuntu 24.04 systemd 255, AlmaLinux 9 systemd 252)
- Apache systemd service: Restart policy changed from on-failure to always — ensures automatic restart on clean exit (exit 0), preventing prolonged downtime in graceful-stop scenarios
- Disable AppArmor button now properly unloads all kernel-loaded profiles via apparmor_parser -R, not just stops the service unit
- Previously, stopping the apparmor service only prevented future profile loads but left already-loaded profiles in enforce/complain mode
- Snap applications (rclone, firefox, etc.) and system profiles are now fully unconfined after Disable, as expected
- Plesk migration: DNS zone transfer and 32 database detection fix for RHEL-based systems
- HestiaCP migration: domain discovery opt-in mode to prevent accidental import
- CWP (CentOS Web Panel) migration: user mapping and SSL certificate handling improvements
- CyberPanel migration: mail hash preservation and database website-scope detection fix
- CloudPanel migration: www. prefix domain recognition bug fix