By Fabien Loquet, Solutions Architect
Many enterprise are looking for securing as much as possible their infrastructure at all levels. Different mechanisms exists depending on the level that you want to secure: SSL for Internet communications, encryption at rest for storage, authentication at the application layer, and many more. At the OS layer, Linux provides a security mechanism that is built in the kernel, known as SELinux.
It is an advanced access control mechanism developed by the US National Security Agency to protect computer systems from malicious intrusion and tampering. It is now available in the public domain and included in various distributions.
SELinux is often seen as a complex and confusing topic. It can, however, greatly reduce security risks.
On Alibaba Cloud, SElinux is disabled by default on all Elastic Compute Service (ECS) Linux OS public images. As a matter of fact, it is explicitly mentioned not to enable it (https://www.alibabacloud.com/help/doc-detail/25430.htm ):
The reason behind it is that without the proper precautions, just enabling SELinux will break things in the OS, and will make it unusable (you'd need to release it). However, some companies have very strict security policies, and may require the use of SELinux for all their Linux deployments.
In this tutorial, we're going to see how it is still possible to activate it while preventing the adverse side effects, provided you follow some specific steps.
Additionally, the commands have been tested on CentOS 7, and need to be executed using a user with root privileges.
There are multiple scenarios when enabling SELinux:
In the second scenario, if you want to migrate an image with SELinux enabled from another cloud provider or from VMWare, you'll first have to make sure to disable SELinux before running the migration tool. For more information on the Cloud Migration Tool, please refer to this page: https://www.alibabacloud.com/help/doc-detail/62349.htm
Once migrated, the image is available in your account as a custom image that you can use to create new instances.
In order to properly enable SELinux, first create an instance with the selected image (public or custom).
Next, run the following commands on the instance:
[root@iZgw8ewbsczw0lh3yt7is5Z ~]# vi /etc/selinux/config
The output will look like this:
# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=disabled # SELINUXTYPE= can take one of these two values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection. SELINUXTYPE=targeted
In the file, replace
You can set
SELINUX=permissive if you want to test SELinux while not preventing access to the files (errors will be logged, but access will be granted anyway).
Save and exit the editor.
To be taken into account, the instance must be restarted. However, if nothing else is done, after the restart, things will go wrong: ssh service will not launch properly, preventing the user to connect to the instance. VNC will also not work properly.
In order to make it work, the following commands need to be run BEFORE restarting the instance:
[root@iZgw8ewbsczw0lh3yt7is5Z ~]# touch ./autorelabel
This command creates a file telling SELinux to automatically re-label all the system files with proper values at the next restart.
[root@iZgw8ewbsczw0lh3yt7is5Z ~]# shutdown -r now
This command restarts the OS. It can take quite some time as the system has to process many files. A few minutes is usually ok for the re-labelling process to complete.
Once this is done, the ssh service should be able to automatically start and run correctly.
The user can now log in the instance using a tool like PuttY or equivalent.
Once logged in, it is possible to verify that SELinux is activated by running the commands:
[root@iZgw8ewbsczw0lh3yt7is5Z ~]# getenforce
It should return either 'Permissive' or 'Enforcing' depending on which mode you've chosen.
Additionally, the following command gives you more status information:
[root@iZgw8ewbsczw0lh3yt7is5Z ~]# sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 31
It should show that the SELinux is correctly activated.
Now you have a fully functional Linux OS with SELinux activated.
From here you can create an image from your instance and use it to create instances with SELinux activated by default.
Alibaba Clouder - June 13, 2019
Alibaba Clouder - November 13, 2018
Alex - June 21, 2019
Alibaba Clouder - May 21, 2018
Alibaba Clouder - April 27, 2018
Hiteshjethva - January 8, 2020
An online computing service that offers elastic and secure virtual cloud servers to cater all your cloud hosting needs.Learn More
Alibaba Cloud SSL Certificates Service allows customers to directly apply, purchase and manage SSL certificates.Learn More
A cloud firewall service utilizing big data capabilities to protect against web-based attacksLearn More
More Posts by Alibaba Clouder