SELinux Usage in Alibaba Cloud ECS
By Fabien Loquet, Solutions Architect
Many enterprise are looking for securing as much as possible their infrastructure at all levels. Different mechanisms exists depending on the level that you want to secure: SSL for Internet communications, encryption at rest for storage, authentication at the application layer, and many more. At the OS layer, Linux provides a security mechanism that is built in the kernel, known as SELinux.
It is an advanced access control mechanism developed by the US National Security Agency to protect computer systems from malicious intrusion and tampering. It is now available in the public domain and included in various distributions.
SELinux is often seen as a complex and confusing topic. It can, however, greatly reduce security risks.
On Alibaba Cloud, SElinux is disabled by default on all Elastic Compute Service (ECS) Linux OS public images. As a matter of fact, it is explicitly mentioned not to enable it (https://www.alibabacloud.com/help/doc-detail/25430.htm):?spm=a2c41.12662918.104.22.168f0a23eajhDR1v&file=25430.htm):
The reason behind it is that without the proper precautions, just enabling SELinux will break things in the OS, and will make it unusable (you’d need to release it). However, some companies have very strict security policies, and may require the use of SELinux for all their Linux deployments.
In this tutorial, we’re going to see how it is still possible to activate it while preventing the adverse side effects, provided you follow some specific steps.
Additionally, the commands have been tested on CentOS 7, and need to be executed using a user with root privileges.
SELinux Enablement Steps
There are multiple scenarios when enabling SELinux:
- Enabling SELinux on a public image from Alibaba Cloud (CentOS, Ubuntu, etc.)
- Enabling SELinux using a custom image, for example imported from an on-premise instance or another cloud provider
In the second scenario, if you want to migrate an image with SELinux enabled from another cloud provider or from VMWare, you’ll first have to make sure to disable SELinux before running the migration tool. For more information on the Cloud Migration Tool, please refer to this page: https://www.alibabacloud.com/help/doc-detail/62349.htm?spm=a2c41.12662922.214.171.124f0a23eajhDR1v
Once migrated, the image is available in your account as a custom image that you can use to create new instances.
In order to properly enable SELinux, first create an instance with the selected image (public or custom).
Next, run the following commands on the instance:
[root@iZgw8ewbsczw0lh3yt7is5Z ~]# vi /etc/selinux/config
The output will look like this:
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
In the file, replace
You can set
SELINUX=permissive if you want to test SELinux while not preventing access to the files (errors will be logged, but access will be granted anyway).
Save and exit the editor.
To be taken into account, the instance must be restarted. However, if nothing else is done, after the restart, things will go wrong: ssh service will not launch properly, preventing the user to connect to the instance. VNC will also not work properly.
In order to make it work, the following commands need to be run BEFORE restarting the instance:
[root@iZgw8ewbsczw0lh3yt7is5Z ~]# touch ./autorelabel
This command creates a file telling SELinux to automatically re-label all the system files with proper values at the next restart.
[root@iZgw8ewbsczw0lh3yt7is5Z ~]# shutdown -r now
This command restarts the OS. It can take quite some time as the system has to process many files. A few minutes is usually ok for the re-labelling process to complete.
Once this is done, the ssh service should be able to automatically start and run correctly.
The user can now log in the instance using a tool like PuttY or equivalent.
Once logged in, it is possible to verify that SELinux is activated by running the commands:
[root@iZgw8ewbsczw0lh3yt7is5Z ~]# getenforce
It should return either ‘Permissive’ or ‘Enforcing’ depending on which mode you’ve chosen.
Additionally, the following command gives you more status information:
[root@iZgw8ewbsczw0lh3yt7is5Z ~]# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 31
It should show that the SELinux is correctly activated.
Now you have a fully functional Linux OS with SELinux activated.
From here you can create an image from your instance and use it to create instances with SELinux activated by default.