Solved

EC2 Small Instance SELINUX disabled at boot

Posted on 2011-03-06
7
2,668 Views
Last Modified: 2014-11-12
Hi I have an EC2 instance using ami-7fd4e10b AMI and aki-4deec439 kernel

After doing lots of configuration, I was surprised to find it did not have selinux running.  

/etc/selinux/config

SELINUX=permissive
SELINUXTYPE=targeted
SETLOCALDEFS=0

grep SELINUX /boot/config-`uname -r`
->
CONFIG_SECURITY_SELINUX=y
CONFIG_SECURITY_SELINUX_BOOTPARAM=y
CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=0
CONFIG_SECURITY_SELINUX_DISABLE=y
CONFIG_SECURITY_SELINUX_DEVELOP=y
CONFIG_SECURITY_SELINUX_AVC_STATS=y
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
# CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX is not set
# CONFIG_DEFAULT_SECURITY_SELINUX is not set

This suggests to me that a kernel setting is to not boot with selinux, and found a message to that effect in /var/log/messages.

So, added selinux=1 in grub.conf and creating the ./autolabel file

in messages
SELinux:  Initializing.

and

dmesg | grep SELinux
[    0.004000] SELinux:  Initializing.
[    0.004000] SELinux:  Starting in permissive mode
[    0.061441] SELinux:  Registering netfilter hooks

but sestatus still says:
SELinux status:                 disabled

Any thoughts on how I can fix this - had thought SELinux was pretty standard now and surprised it is not working out of the box.


0
Comment
Question by:richp10
  • 4
  • 3
7 Comments
 
LVL 7

Assisted Solution

by:unSpawn
unSpawn earned 500 total points
ID: 35059430
Apparently this kernel was built to run w/o SELinux enabled on boot. As you already added "selinux=1" /boot/grub/grub.conf you currently boot into permissive mode.
0. Check your /var/log/audit/ logs if there's any local policy adjustment necessary as you would want for example fscontext changes recorded before enabling enforcing mode.
1. In /etc/selinux/config change "SELINUX=permissive" to read "SELINUX=enforcing" to make enforcing mode stick between reboots.
2. Then "touch /.autorelabel" (or GRUB command line: "autorelabel=1") and reboot to relabel everything and enter enforcing mode.

0
 

Author Comment

by:richp10
ID: 35060925
>> Apparently this kernel was built to run w/o SELinux enabled on boot.
>> As you already added "selinux=1" /boot/grub/grub.conf you currently boot into
>> permissive mode.

As I say, unfortunately it is not booting into permissive mode;

but sestatus still says:
SELinux status:                 disabled

If it was running permissive, this would say permissive not disabled!

Any other thoughts
0
 
LVL 7

Accepted Solution

by:
unSpawn earned 500 total points
ID: 35062997
http://cateee.net/lkddb/web-lkddb/SECURITY_SELINUX_BOOTPARAM_VALUE.html says "selinux=0" *allows* for disabling SELinux at bootup. So I went and started a VMware guest with "selinux=0". I couldn't get it back to either permissive or enforcing from that state. From that, since "selinux=1" doesn't work for you I can only suggest to rebuild the kernel with SECURITY_SELINUX_BOOTPARAM_VALUE=1 as that is the only difference shown when I run grep -i selinux /boot/-config-`uname -r` on Centos-5.5.
There's an off chance so before you do CYP post output of 'cat /proc/cmdline; grep selinux_init /proc/kallsyms; grep selinuxfs /proc/filesystems; ls -ld /selinux; ls -l /etc/selinux/targeted/policy; grep SELinux /var/log/messages'?
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 

Author Comment

by:richp10
ID: 35068988
root=LABEL=/ console=hvc0 selinux=1
c136bb1a t selinux_init
c1393e40 t __initcall_selinux_init
nodev   selinuxfs
drwxr-xr-x 2 root root 4096 Jul 22  2010 /selinux
total 1820
-rw-r--r-- 1 root root 1856078 Nov 30 01:51 policy.24
Mar  8 13:24:54 ip-10-234-255-125 klogd: [    0.004000] SELinux:  Initializing.

(until selinux=1 was added, the last message would be Disabled at boot.

dmesg | grep SELinux
[    0.004000] SELinux:  Initializing.
[    0.004000] SELinux:  Starting in permissive mode
[    0.069276] SELinux:  Registering netfilter hooks

In EC2 you can select differernt kernels (though compiling your own looks pretty hard) - I have tried a few different kernels but luck yet!

Any other thoughts...
0
 

Author Comment

by:richp10
ID: 35069151
I think I can answer my own question - finally found the Amazon EC2 Forum.  

At the present time Amazon Linux AMI's do not support SELinux, though plan to do so in future.  At least and maybe several Centos / RHel AMIs do have SELinux..

If anyone stumbles this way I suggest looking here:

https://forums.aws.amazon.com/index.jspa?categoryID=1



Thanks for the attempts though... I will try and award a part correct answer since you identified that compiling the kernel is in theory the solution, though in this case I cannot do that!
0
 

Author Closing Comment

by:richp10
ID: 35069167
Correctly spotted that kernel recompile needed - though awaiting Amazon is actually the way forwards!
0
 
LVL 7

Expert Comment

by:unSpawn
ID: 35071521
Thanks. In closing do have a look at http://jaws-ug.jp/documents/mvei37/at_download/file and http://wiki.virtastic.com/display/howto/Core+CentOS+5.5+and+Kernel+on+EC2 if you can spare the time. Both should convey rolling your own doesn't require the type of survival skills as shown on television ;-p
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
Big data transfers via information superhighways require special attention and protection. Learn more about the IT-regulations of the country where your server is located. Analyze cloud providers and their encryption systems for safe data transit. S…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…

914 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now