SELinux Usage in Alibaba Cloud ECS

By Fabien Loquet, Solutions Architect

Many enterprise are looking for securing as much as possible their infrastructure at all levels. Different mechanisms exists depending on the level that you want to secure: SSL for Internet communications, encryption at rest for storage, authentication at the application layer, and many more. At the OS layer, Linux provides a security mechanism that is built in the kernel, known as SELinux.

It is an advanced access control mechanism developed by the US National Security Agency to protect computer systems from malicious intrusion and tampering. It is now available in the public domain and included in various distributions.

SELinux is often seen as a complex and confusing topic. It can, however, greatly reduce security risks.

On Alibaba Cloud, SElinux is disabled by default on all Elastic Compute Service (ECS) Linux OS public images. As a matter of fact, it is explicitly mentioned not to enable it (https://www.alibabacloud.com/help/doc-detail/25430.htm):?spm=a2c41.12662941.0.0.3f0a23eajhDR1v&file=25430.htm):

Image for post
Image for post

The reason behind it is that without the proper precautions, just enabling SELinux will break things in the OS, and will make it unusable (you’d need to release it). However, some companies have very strict security policies, and may require the use of SELinux for all their Linux deployments.

In this tutorial, we’re going to see how it is still possible to activate it while preventing the adverse side effects, provided you follow some specific steps.

Additionally, the commands have been tested on CentOS 7, and need to be executed using a user with root privileges.

SELinux Enablement Steps

There are multiple scenarios when enabling SELinux:

  1. Enabling SELinux on a public image from Alibaba Cloud (CentOS, Ubuntu, etc.)
  2. Enabling SELinux using a custom image, for example imported from an on-premise instance or another cloud provider

In the second scenario, if you want to migrate an image with SELinux enabled from another cloud provider or from VMWare, you’ll first have to make sure to disable SELinux before running the migration tool. For more information on the Cloud Migration Tool, please refer to this page: https://www.alibabacloud.com/help/doc-detail/62349.htm?spm=a2c41.12662941.0.0.3f0a23eajhDR1v

Once migrated, the image is available in your account as a custom image that you can use to create new instances.

In order to properly enable SELinux, first create an instance with the selected image (public or custom).

Next, run the following commands on the instance:

The output will look like this:

In the file, replace SELINUX=disabled by SELINUX=enforcing

You can set SELINUX=permissive if you want to test SELinux while not preventing access to the files (errors will be logged, but access will be granted anyway).

Save and exit the editor.

To be taken into account, the instance must be restarted. However, if nothing else is done, after the restart, things will go wrong: ssh service will not launch properly, preventing the user to connect to the instance. VNC will also not work properly.

In order to make it work, the following commands need to be run BEFORE restarting the instance:

This command creates a file telling SELinux to automatically re-label all the system files with proper values at the next restart.

This command restarts the OS. It can take quite some time as the system has to process many files. A few minutes is usually ok for the re-labelling process to complete.

Once this is done, the ssh service should be able to automatically start and run correctly.

The user can now log in the instance using a tool like PuttY or equivalent.

Once logged in, it is possible to verify that SELinux is activated by running the commands:

It should return either ‘Permissive’ or ‘Enforcing’ depending on which mode you’ve chosen.

Additionally, the following command gives you more status information:

It should show that the SELinux is correctly activated.

Now you have a fully functional Linux OS with SELinux activated.

From here you can create an image from your instance and use it to create instances with SELinux activated by default.

Reference:https://www.alibabacloud.com/blog/selinux-usage-in-alibaba-cloud-ecs_594556?spm=a2c41.12662941.0.0

Written by

Follow me to keep abreast with the latest technology news, industry insights, and developer trends.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store