Solved

EC2 Small Instance SELINUX disabled at boot

Posted on 2011-03-06
7
2,781 Views
Last Modified: 2014-11-12
Hi I have an EC2 instance using ami-7fd4e10b AMI and aki-4deec439 kernel

After doing lots of configuration, I was surprised to find it did not have selinux running.  

/etc/selinux/config

SELINUX=permissive
SELINUXTYPE=targeted
SETLOCALDEFS=0

grep SELINUX /boot/config-`uname -r`
->
CONFIG_SECURITY_SELINUX=y
CONFIG_SECURITY_SELINUX_BOOTPARAM=y
CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=0
CONFIG_SECURITY_SELINUX_DISABLE=y
CONFIG_SECURITY_SELINUX_DEVELOP=y
CONFIG_SECURITY_SELINUX_AVC_STATS=y
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
# CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX is not set
# CONFIG_DEFAULT_SECURITY_SELINUX is not set

This suggests to me that a kernel setting is to not boot with selinux, and found a message to that effect in /var/log/messages.

So, added selinux=1 in grub.conf and creating the ./autolabel file

in messages
SELinux:  Initializing.

and

dmesg | grep SELinux
[    0.004000] SELinux:  Initializing.
[    0.004000] SELinux:  Starting in permissive mode
[    0.061441] SELinux:  Registering netfilter hooks

but sestatus still says:
SELinux status:                 disabled

Any thoughts on how I can fix this - had thought SELinux was pretty standard now and surprised it is not working out of the box.


0
Comment
Question by:richp10
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 7

Assisted Solution

by:unSpawn
unSpawn earned 500 total points
ID: 35059430
Apparently this kernel was built to run w/o SELinux enabled on boot. As you already added "selinux=1" /boot/grub/grub.conf you currently boot into permissive mode.
0. Check your /var/log/audit/ logs if there's any local policy adjustment necessary as you would want for example fscontext changes recorded before enabling enforcing mode.
1. In /etc/selinux/config change "SELINUX=permissive" to read "SELINUX=enforcing" to make enforcing mode stick between reboots.
2. Then "touch /.autorelabel" (or GRUB command line: "autorelabel=1") and reboot to relabel everything and enter enforcing mode.

0
 

Author Comment

by:richp10
ID: 35060925
>> Apparently this kernel was built to run w/o SELinux enabled on boot.
>> As you already added "selinux=1" /boot/grub/grub.conf you currently boot into
>> permissive mode.

As I say, unfortunately it is not booting into permissive mode;

but sestatus still says:
SELinux status:                 disabled

If it was running permissive, this would say permissive not disabled!

Any other thoughts
0
 
LVL 7

Accepted Solution

by:
unSpawn earned 500 total points
ID: 35062997
http://cateee.net/lkddb/web-lkddb/SECURITY_SELINUX_BOOTPARAM_VALUE.html says "selinux=0" *allows* for disabling SELinux at bootup. So I went and started a VMware guest with "selinux=0". I couldn't get it back to either permissive or enforcing from that state. From that, since "selinux=1" doesn't work for you I can only suggest to rebuild the kernel with SECURITY_SELINUX_BOOTPARAM_VALUE=1 as that is the only difference shown when I run grep -i selinux /boot/-config-`uname -r` on Centos-5.5.
There's an off chance so before you do CYP post output of 'cat /proc/cmdline; grep selinux_init /proc/kallsyms; grep selinuxfs /proc/filesystems; ls -ld /selinux; ls -l /etc/selinux/targeted/policy; grep SELinux /var/log/messages'?
0
The Ultimate Checklist to Optimize Your Website

Websites are getting bigger and complicated by the day. Video, images, custom fonts are all great for showcasing your product/service. But the price to pay in terms of reduced page load times and ultimately, decreased sales, can lead to some difficult decisions about what to cut.

 

Author Comment

by:richp10
ID: 35068988
root=LABEL=/ console=hvc0 selinux=1
c136bb1a t selinux_init
c1393e40 t __initcall_selinux_init
nodev   selinuxfs
drwxr-xr-x 2 root root 4096 Jul 22  2010 /selinux
total 1820
-rw-r--r-- 1 root root 1856078 Nov 30 01:51 policy.24
Mar  8 13:24:54 ip-10-234-255-125 klogd: [    0.004000] SELinux:  Initializing.

(until selinux=1 was added, the last message would be Disabled at boot.

dmesg | grep SELinux
[    0.004000] SELinux:  Initializing.
[    0.004000] SELinux:  Starting in permissive mode
[    0.069276] SELinux:  Registering netfilter hooks

In EC2 you can select differernt kernels (though compiling your own looks pretty hard) - I have tried a few different kernels but luck yet!

Any other thoughts...
0
 

Author Comment

by:richp10
ID: 35069151
I think I can answer my own question - finally found the Amazon EC2 Forum.  

At the present time Amazon Linux AMI's do not support SELinux, though plan to do so in future.  At least and maybe several Centos / RHel AMIs do have SELinux..

If anyone stumbles this way I suggest looking here:

https://forums.aws.amazon.com/index.jspa?categoryID=1



Thanks for the attempts though... I will try and award a part correct answer since you identified that compiling the kernel is in theory the solution, though in this case I cannot do that!
0
 

Author Closing Comment

by:richp10
ID: 35069167
Correctly spotted that kernel recompile needed - though awaiting Amazon is actually the way forwards!
0
 
LVL 7

Expert Comment

by:unSpawn
ID: 35071521
Thanks. In closing do have a look at http://jaws-ug.jp/documents/mvei37/at_download/file and http://wiki.virtastic.com/display/howto/Core+CentOS+5.5+and+Kernel+on+EC2 if you can spare the time. Both should convey rolling your own doesn't require the type of survival skills as shown on television ;-p
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
Your data is at risk. Probably more today that at any other time in history. There are simply more people with more access to the Web with bad intentions.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question