Solved

EC2 Small Instance SELINUX disabled at boot

Posted on 2011-03-06
7
2,688 Views
Last Modified: 2014-11-12
Hi I have an EC2 instance using ami-7fd4e10b AMI and aki-4deec439 kernel

After doing lots of configuration, I was surprised to find it did not have selinux running.  

/etc/selinux/config

SELINUX=permissive
SELINUXTYPE=targeted
SETLOCALDEFS=0

grep SELINUX /boot/config-`uname -r`
->
CONFIG_SECURITY_SELINUX=y
CONFIG_SECURITY_SELINUX_BOOTPARAM=y
CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=0
CONFIG_SECURITY_SELINUX_DISABLE=y
CONFIG_SECURITY_SELINUX_DEVELOP=y
CONFIG_SECURITY_SELINUX_AVC_STATS=y
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
# CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX is not set
# CONFIG_DEFAULT_SECURITY_SELINUX is not set

This suggests to me that a kernel setting is to not boot with selinux, and found a message to that effect in /var/log/messages.

So, added selinux=1 in grub.conf and creating the ./autolabel file

in messages
SELinux:  Initializing.

and

dmesg | grep SELinux
[    0.004000] SELinux:  Initializing.
[    0.004000] SELinux:  Starting in permissive mode
[    0.061441] SELinux:  Registering netfilter hooks

but sestatus still says:
SELinux status:                 disabled

Any thoughts on how I can fix this - had thought SELinux was pretty standard now and surprised it is not working out of the box.


0
Comment
Question by:richp10
  • 4
  • 3
7 Comments
 
LVL 7

Assisted Solution

by:unSpawn
unSpawn earned 500 total points
ID: 35059430
Apparently this kernel was built to run w/o SELinux enabled on boot. As you already added "selinux=1" /boot/grub/grub.conf you currently boot into permissive mode.
0. Check your /var/log/audit/ logs if there's any local policy adjustment necessary as you would want for example fscontext changes recorded before enabling enforcing mode.
1. In /etc/selinux/config change "SELINUX=permissive" to read "SELINUX=enforcing" to make enforcing mode stick between reboots.
2. Then "touch /.autorelabel" (or GRUB command line: "autorelabel=1") and reboot to relabel everything and enter enforcing mode.

0
 

Author Comment

by:richp10
ID: 35060925
>> Apparently this kernel was built to run w/o SELinux enabled on boot.
>> As you already added "selinux=1" /boot/grub/grub.conf you currently boot into
>> permissive mode.

As I say, unfortunately it is not booting into permissive mode;

but sestatus still says:
SELinux status:                 disabled

If it was running permissive, this would say permissive not disabled!

Any other thoughts
0
 
LVL 7

Accepted Solution

by:
unSpawn earned 500 total points
ID: 35062997
http://cateee.net/lkddb/web-lkddb/SECURITY_SELINUX_BOOTPARAM_VALUE.html says "selinux=0" *allows* for disabling SELinux at bootup. So I went and started a VMware guest with "selinux=0". I couldn't get it back to either permissive or enforcing from that state. From that, since "selinux=1" doesn't work for you I can only suggest to rebuild the kernel with SECURITY_SELINUX_BOOTPARAM_VALUE=1 as that is the only difference shown when I run grep -i selinux /boot/-config-`uname -r` on Centos-5.5.
There's an off chance so before you do CYP post output of 'cat /proc/cmdline; grep selinux_init /proc/kallsyms; grep selinuxfs /proc/filesystems; ls -ld /selinux; ls -l /etc/selinux/targeted/policy; grep SELinux /var/log/messages'?
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:richp10
ID: 35068988
root=LABEL=/ console=hvc0 selinux=1
c136bb1a t selinux_init
c1393e40 t __initcall_selinux_init
nodev   selinuxfs
drwxr-xr-x 2 root root 4096 Jul 22  2010 /selinux
total 1820
-rw-r--r-- 1 root root 1856078 Nov 30 01:51 policy.24
Mar  8 13:24:54 ip-10-234-255-125 klogd: [    0.004000] SELinux:  Initializing.

(until selinux=1 was added, the last message would be Disabled at boot.

dmesg | grep SELinux
[    0.004000] SELinux:  Initializing.
[    0.004000] SELinux:  Starting in permissive mode
[    0.069276] SELinux:  Registering netfilter hooks

In EC2 you can select differernt kernels (though compiling your own looks pretty hard) - I have tried a few different kernels but luck yet!

Any other thoughts...
0
 

Author Comment

by:richp10
ID: 35069151
I think I can answer my own question - finally found the Amazon EC2 Forum.  

At the present time Amazon Linux AMI's do not support SELinux, though plan to do so in future.  At least and maybe several Centos / RHel AMIs do have SELinux..

If anyone stumbles this way I suggest looking here:

https://forums.aws.amazon.com/index.jspa?categoryID=1



Thanks for the attempts though... I will try and award a part correct answer since you identified that compiling the kernel is in theory the solution, though in this case I cannot do that!
0
 

Author Closing Comment

by:richp10
ID: 35069167
Correctly spotted that kernel recompile needed - though awaiting Amazon is actually the way forwards!
0
 
LVL 7

Expert Comment

by:unSpawn
ID: 35071521
Thanks. In closing do have a look at http://jaws-ug.jp/documents/mvei37/at_download/file and http://wiki.virtastic.com/display/howto/Core+CentOS+5.5+and+Kernel+on+EC2 if you can spare the time. Both should convey rolling your own doesn't require the type of survival skills as shown on television ;-p
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

There is no doubt that cloud is gaining importance. Many of you must have read about this technology and its growing importance. More and more organisations are embracing this technology not forgetting start-ups. The process begins by dipping …
Cloud-based technologies and services will continue to grow in popularity in 2017 thanks to the simple, scalable and cost-effective solutions they deliver. Here are three areas where cloud adoption is poised to really take off.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

832 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question