Chris Umbel

SELinux on Amazon's AWS Linux AMI

One interesting omission from Amazon's Linux AMI is SElinux and I recently had occasion to install it on a few EC2 instances. The process of installing and enabling SELinux in this environment is actually quite strait-forward, although it can require digging through quite a bit of incorrect and obsolete documentation.

The instructions below are what worked for me using the 2012.09 relase of the AMI. 2012.09 ships with kernel (3.2.30-49.59.amzn1.x86_64), but these instruction will indeed upgrade it.

The first step is to install the following packages which include SELinux and some accompanying tools.

[root@EC2]# yum install libselinux libselinux-utils libselinux-utils selinux-policy-minimum selinux-policy-mls selinux-policy-targeted policycoreutils 

Now we have to tell the kernel to enable SELinux on boot. Append the following to the kernel line in your /etc/grub.conf for your current kernel. Note that if you want to boot into permissive mode replace enforcing=1 with permissive=1.

selinux=1 security=selinux enforcing=1

In my case the resulting /etc/grub.conf looked like:

# created by imagebuilder 

title Amazon Linux 2012.09 (3.2.30-49.59.amzn1.x86_64)

root (hd0)
kernel /boot/vmlinuz-3.2.30-49.59.amzn1.x86_64 root=LABEL=/ console=hvc0 selinux=1 security=selinux enforcing=1
initrd /boot/initramfs-3.2.30-49.59.amzn1.x86_64.img

Now install a new kernel and build a new RAM disk. Don't worry, the options you added above will propogate to the new kernel.

[root@EC2]# yum -y update

Relabel the root filesystem

[root@EC2]# touch /.autorelabel

Now examine /etc/selinux/config and ensure the enforcement level and policy you desire are enabled. In my case I stuck with the default fully enforced targeted policy.

# This file controls the state of SELinux on the system. 

# SELINUX= can take one of these three values: 
# enforcing - SELinux security policy is enforced. 
# permissive - SELinux prints warnings instead of enforcing. 
# disabled - No SELinux policy is loaded. 
# SELINUXTYPE= can take one of these two values: 
# targeted - Targeted processes are protected, 
# mls - Multi Level Security protection. 

Now reboot the instance

[root@EC2]# reboot

Because the root file-system was set to be relabeled rebooting will take a few minutes longer than usual.

Once the instance comes back up log in and verify your work. If everything went as planned the getenforce command will generate the following (for full enforcement).

[root@EC2]# getenforce 

And you're done! SELinux is installed and operating on your instance.

Fri Dec 14 2012 00:00:00 GMT+0000 (UTC)

Follow Chris
RSS Feed