One interesting omission from Amazon's Linux AMI is SElinux and I recently had occasion to install it on a few EC2 instances. The process of installing and enabling SELinux in this environment is actually quite strait-forward, although it can require digging through quite a bit of incorrect and obsolete documentation.
The instructions below are what worked for me using the 2012.09 relase of the AMI. 2012.09 ships with kernel (3.2.30-49.59.amzn1.x86_64), but these instruction will indeed upgrade it.
The first step is to install the following packages which include SELinux and some accompanying tools.
[root@EC2]# yum install libselinux libselinux-utils libselinux-utils selinux-policy-minimum selinux-policy-mls selinux-policy-targeted policycoreutils
Now we have to tell the kernel to enable SELinux on boot. Append the following to the kernel line in your /etc/grub.conf for your current kernel. Note that if you want to boot into permissive mode replace enforcing=1 with permissive=1.
selinux=1 security=selinux enforcing=1
In my case the resulting /etc/grub.conf looked like:
# created by imagebuilder default=0 timeout=1 hiddenmenu title Amazon Linux 2012.09 (3.2.30-49.59.amzn1.x86_64) root (hd0) kernel /boot/vmlinuz-3.2.30-49.59.amzn1.x86_64 root=LABEL=/ console=hvc0 selinux=1 security=selinux enforcing=1 initrd /boot/initramfs-3.2.30-49.59.amzn1.x86_64.img
Now install a new kernel and build a new RAM disk. Don't worry, the options you added above will propogate to the new kernel.
[root@EC2]# yum -y update
Relabel the root filesystem
[root@EC2]# touch /.autorelabel
Now examine /etc/selinux/config and ensure the enforcement level and policy you desire are enabled. In my case I stuck with the default fully enforced targeted policy.
# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enforcing # SELINUXTYPE= can take one of these two values: # targeted - Targeted processes are protected, # mls - Multi Level Security protection. SELINUXTYPE=targeted
Now reboot the instance
Because the root file-system was set to be relabeled rebooting will take a few minutes longer than usual.
Once the instance comes back up log in and verify your work. If everything went as planned the getenforce command will generate the following (for full enforcement).
[root@EC2]# getenforce Enforcing
And you're done! SELinux is installed and operating on your instance.
Fri Dec 14 2012 00:00:00 GMT+0000 (UTC)