Solved

EC2 Small Instance SELINUX disabled at boot

Posted on 2011-03-06
7
2,650 Views
Last Modified: 2014-11-12
Hi I have an EC2 instance using ami-7fd4e10b AMI and aki-4deec439 kernel

After doing lots of configuration, I was surprised to find it did not have selinux running.  

/etc/selinux/config

SELINUX=permissive
SELINUXTYPE=targeted
SETLOCALDEFS=0

grep SELINUX /boot/config-`uname -r`
->
CONFIG_SECURITY_SELINUX=y
CONFIG_SECURITY_SELINUX_BOOTPARAM=y
CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=0
CONFIG_SECURITY_SELINUX_DISABLE=y
CONFIG_SECURITY_SELINUX_DEVELOP=y
CONFIG_SECURITY_SELINUX_AVC_STATS=y
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
# CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX is not set
# CONFIG_DEFAULT_SECURITY_SELINUX is not set

This suggests to me that a kernel setting is to not boot with selinux, and found a message to that effect in /var/log/messages.

So, added selinux=1 in grub.conf and creating the ./autolabel file

in messages
SELinux:  Initializing.

and

dmesg | grep SELinux
[    0.004000] SELinux:  Initializing.
[    0.004000] SELinux:  Starting in permissive mode
[    0.061441] SELinux:  Registering netfilter hooks

but sestatus still says:
SELinux status:                 disabled

Any thoughts on how I can fix this - had thought SELinux was pretty standard now and surprised it is not working out of the box.


0
Comment
Question by:richp10
  • 4
  • 3
7 Comments
 
LVL 7

Assisted Solution

by:unSpawn
unSpawn earned 500 total points
ID: 35059430
Apparently this kernel was built to run w/o SELinux enabled on boot. As you already added "selinux=1" /boot/grub/grub.conf you currently boot into permissive mode.
0. Check your /var/log/audit/ logs if there's any local policy adjustment necessary as you would want for example fscontext changes recorded before enabling enforcing mode.
1. In /etc/selinux/config change "SELINUX=permissive" to read "SELINUX=enforcing" to make enforcing mode stick between reboots.
2. Then "touch /.autorelabel" (or GRUB command line: "autorelabel=1") and reboot to relabel everything and enter enforcing mode.

0
 

Author Comment

by:richp10
ID: 35060925
>> Apparently this kernel was built to run w/o SELinux enabled on boot.
>> As you already added "selinux=1" /boot/grub/grub.conf you currently boot into
>> permissive mode.

As I say, unfortunately it is not booting into permissive mode;

but sestatus still says:
SELinux status:                 disabled

If it was running permissive, this would say permissive not disabled!

Any other thoughts
0
 
LVL 7

Accepted Solution

by:
unSpawn earned 500 total points
ID: 35062997
http://cateee.net/lkddb/web-lkddb/SECURITY_SELINUX_BOOTPARAM_VALUE.html says "selinux=0" *allows* for disabling SELinux at bootup. So I went and started a VMware guest with "selinux=0". I couldn't get it back to either permissive or enforcing from that state. From that, since "selinux=1" doesn't work for you I can only suggest to rebuild the kernel with SECURITY_SELINUX_BOOTPARAM_VALUE=1 as that is the only difference shown when I run grep -i selinux /boot/-config-`uname -r` on Centos-5.5.
There's an off chance so before you do CYP post output of 'cat /proc/cmdline; grep selinux_init /proc/kallsyms; grep selinuxfs /proc/filesystems; ls -ld /selinux; ls -l /etc/selinux/targeted/policy; grep SELinux /var/log/messages'?
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:richp10
ID: 35068988
root=LABEL=/ console=hvc0 selinux=1
c136bb1a t selinux_init
c1393e40 t __initcall_selinux_init
nodev   selinuxfs
drwxr-xr-x 2 root root 4096 Jul 22  2010 /selinux
total 1820
-rw-r--r-- 1 root root 1856078 Nov 30 01:51 policy.24
Mar  8 13:24:54 ip-10-234-255-125 klogd: [    0.004000] SELinux:  Initializing.

(until selinux=1 was added, the last message would be Disabled at boot.

dmesg | grep SELinux
[    0.004000] SELinux:  Initializing.
[    0.004000] SELinux:  Starting in permissive mode
[    0.069276] SELinux:  Registering netfilter hooks

In EC2 you can select differernt kernels (though compiling your own looks pretty hard) - I have tried a few different kernels but luck yet!

Any other thoughts...
0
 

Author Comment

by:richp10
ID: 35069151
I think I can answer my own question - finally found the Amazon EC2 Forum.  

At the present time Amazon Linux AMI's do not support SELinux, though plan to do so in future.  At least and maybe several Centos / RHel AMIs do have SELinux..

If anyone stumbles this way I suggest looking here:

https://forums.aws.amazon.com/index.jspa?categoryID=1



Thanks for the attempts though... I will try and award a part correct answer since you identified that compiling the kernel is in theory the solution, though in this case I cannot do that!
0
 

Author Closing Comment

by:richp10
ID: 35069167
Correctly spotted that kernel recompile needed - though awaiting Amazon is actually the way forwards!
0
 
LVL 7

Expert Comment

by:unSpawn
ID: 35071521
Thanks. In closing do have a look at http://jaws-ug.jp/documents/mvei37/at_download/file and http://wiki.virtastic.com/display/howto/Core+CentOS+5.5+and+Kernel+on+EC2 if you can spare the time. Both should convey rolling your own doesn't require the type of survival skills as shown on television ;-p
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
Companies keep a much closer eye on costs today, so changing to new Technology – Microsoft Office 365 is the smartest move to take.
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now