EC2 Small Instance SELINUX disabled at boot

Hi I have an EC2 instance using ami-7fd4e10b AMI and aki-4deec439 kernel

After doing lots of configuration, I was surprised to find it did not have selinux running.  



grep SELINUX /boot/config-`uname -r`

This suggests to me that a kernel setting is to not boot with selinux, and found a message to that effect in /var/log/messages.

So, added selinux=1 in grub.conf and creating the ./autolabel file

in messages
SELinux:  Initializing.


dmesg | grep SELinux
[    0.004000] SELinux:  Initializing.
[    0.004000] SELinux:  Starting in permissive mode
[    0.061441] SELinux:  Registering netfilter hooks

but sestatus still says:
SELinux status:                 disabled

Any thoughts on how I can fix this - had thought SELinux was pretty standard now and surprised it is not working out of the box.

Who is Participating?
unSpawnConnect With a Mentor Commented: says "selinux=0" *allows* for disabling SELinux at bootup. So I went and started a VMware guest with "selinux=0". I couldn't get it back to either permissive or enforcing from that state. From that, since "selinux=1" doesn't work for you I can only suggest to rebuild the kernel with SECURITY_SELINUX_BOOTPARAM_VALUE=1 as that is the only difference shown when I run grep -i selinux /boot/-config-`uname -r` on Centos-5.5.
There's an off chance so before you do CYP post output of 'cat /proc/cmdline; grep selinux_init /proc/kallsyms; grep selinuxfs /proc/filesystems; ls -ld /selinux; ls -l /etc/selinux/targeted/policy; grep SELinux /var/log/messages'?
unSpawnConnect With a Mentor Commented:
Apparently this kernel was built to run w/o SELinux enabled on boot. As you already added "selinux=1" /boot/grub/grub.conf you currently boot into permissive mode.
0. Check your /var/log/audit/ logs if there's any local policy adjustment necessary as you would want for example fscontext changes recorded before enabling enforcing mode.
1. In /etc/selinux/config change "SELINUX=permissive" to read "SELINUX=enforcing" to make enforcing mode stick between reboots.
2. Then "touch /.autorelabel" (or GRUB command line: "autorelabel=1") and reboot to relabel everything and enter enforcing mode.

richp10Author Commented:
>> Apparently this kernel was built to run w/o SELinux enabled on boot.
>> As you already added "selinux=1" /boot/grub/grub.conf you currently boot into
>> permissive mode.

As I say, unfortunately it is not booting into permissive mode;

but sestatus still says:
SELinux status:                 disabled

If it was running permissive, this would say permissive not disabled!

Any other thoughts
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

richp10Author Commented:
root=LABEL=/ console=hvc0 selinux=1
c136bb1a t selinux_init
c1393e40 t __initcall_selinux_init
nodev   selinuxfs
drwxr-xr-x 2 root root 4096 Jul 22  2010 /selinux
total 1820
-rw-r--r-- 1 root root 1856078 Nov 30 01:51 policy.24
Mar  8 13:24:54 ip-10-234-255-125 klogd: [    0.004000] SELinux:  Initializing.

(until selinux=1 was added, the last message would be Disabled at boot.

dmesg | grep SELinux
[    0.004000] SELinux:  Initializing.
[    0.004000] SELinux:  Starting in permissive mode
[    0.069276] SELinux:  Registering netfilter hooks

In EC2 you can select differernt kernels (though compiling your own looks pretty hard) - I have tried a few different kernels but luck yet!

Any other thoughts...
richp10Author Commented:
I think I can answer my own question - finally found the Amazon EC2 Forum.  

At the present time Amazon Linux AMI's do not support SELinux, though plan to do so in future.  At least and maybe several Centos / RHel AMIs do have SELinux..

If anyone stumbles this way I suggest looking here:

Thanks for the attempts though... I will try and award a part correct answer since you identified that compiling the kernel is in theory the solution, though in this case I cannot do that!
richp10Author Commented:
Correctly spotted that kernel recompile needed - though awaiting Amazon is actually the way forwards!
Thanks. In closing do have a look at and if you can spare the time. Both should convey rolling your own doesn't require the type of survival skills as shown on television ;-p
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.