ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    CloudatCost Doesn't Fully Support CentOS SELinux

    Scheduled Pinned Locked Moved IT Discussion
    cloudatcostlinuxsecurityselinux
    19 Posts 4 Posters 4.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • scottalanmillerS
      scottalanmiller
      last edited by

      This also brings up a more minor issue... why is SELinux installed if it must be left untouched? Best practices are to have it enabled. This means that just following elementary best practices causes instability.

      ? 1 Reply Last reply Reply Quote 0
      • ?
        A Former User @scottalanmiller
        last edited by

        @scottalanmiller said:

        why is SELinux installed if it must be left untouched?

        I think their image set's it to permissive by default.

        scottalanmillerS 1 Reply Last reply Reply Quote 0
        • scottalanmillerS
          scottalanmiller @A Former User
          last edited by

          @thecreativeone91 said:

          @scottalanmiller said:

          why is SELinux installed if it must be left untouched?

          I think their image set's it to permissive by default.

          It must or there would be a disaster. But even so, anyone using things like Chef or Puppet, just following best practices, scripting administration, etc. would automatically turn it on.

          1 Reply Last reply Reply Quote 0
          • scottalanmillerS
            scottalanmiller
            last edited by

            I've noticed FirewallD turned off by default too.

            ? 1 Reply Last reply Reply Quote 2
            • ?
              A Former User @scottalanmiller
              last edited by

              @scottalanmiller said:

              I've noticed FirewallD turned off by default too.

              Same.

              1 Reply Last reply Reply Quote 1
              • scottalanmillerS
                scottalanmiller
                last edited by scottalanmiller

                Looking at SELinux on our machines, it seems to be on everywhere. I think maybe that engineer was just making things up?

                    cc-lnx-jump
                    SELinux status:                 enabled
                    SELinuxfs mount:                /sys/fs/selinux
                    SELinux root directory:         /etc/selinux
                    Loaded policy name:             targeted
                    Current mode:                   enforcing
                    Mode from config file:          enforcing
                    Policy MLS status:              enabled
                    Policy deny_unknown status:     allowed
                    Max kernel policy version:      28
                
                    cc-lnx-dev1
                    SELinux status:                 enabled
                    SELinuxfs mount:                /sys/fs/selinux
                    SELinux root directory:         /etc/selinux
                    Loaded policy name:             targeted
                    Current mode:                   enforcing
                    Mode from config file:          enforcing
                    Policy MLS status:              enabled
                    Policy deny_unknown status:     allowed
                    Max kernel policy version:      28
                
                    cc-lnx-rh7lab
                    SELinux status:                 enabled
                    SELinuxfs mount:                /sys/fs/selinux
                    SELinux root directory:         /etc/selinux
                    Loaded policy name:             targeted
                    Current mode:                   enforcing
                    Mode from config file:          enforcing
                    Policy MLS status:              enabled
                    Policy deny_unknown status:     allowed
                    Max kernel policy version:      28
                     
                    cc-lnx-rh6lab
                    SELinux status:                 enabled
                    SELinuxfs mount:                /selinux
                    Current mode:                   enforcing
                    Mode from config file:          enforcing
                    Policy version:                 24
                    Policy from config file:        targeted
                
                    cc-lnx-dblab1
                    SELinux status:                 enabled
                    SELinuxfs mount:                /sys/fs/selinux
                    SELinux root directory:         /etc/selinux
                    Loaded policy name:             targeted
                    Current mode:                   enforcing
                    Mode from config file:          enforcing
                    Policy MLS status:              enabled
                    Policy deny_unknown status:     allowed
                    Max kernel policy version:      28
                
                    cc-lnx-dblab2
                    SELinux status:                 enabled
                    SELinuxfs mount:                /sys/fs/selinux
                    SELinux root directory:         /etc/selinux
                    Loaded policy name:             targeted
                    Current mode:                   enforcing
                    Mode from config file:          enforcing
                    Policy MLS status:              enabled
                    Policy deny_unknown status:     allowed
                    Max kernel policy version:      28
                
                    cc-lnx-dblab3
                    SELinux status:                 enabled
                    SELinuxfs mount:                /sys/fs/selinux
                    SELinux root directory:         /etc/selinux
                    Loaded policy name:             targeted
                    Current mode:                   enforcing
                    Mode from config file:          enforcing
                    Policy MLS status:              enabled
                    Policy deny_unknown status:     allowed
                    Max kernel policy version:      28
                
                ? 1 Reply Last reply Reply Quote 0
                • MattSpellerM
                  MattSpeller
                  last edited by

                  For we who are linux noobs, can you give maybe a short TL;DR of the problem?

                  scottalanmillerS 1 Reply Last reply Reply Quote 0
                  • ?
                    A Former User @scottalanmiller
                    last edited by

                    @scottalanmiller said:

                    Looking at SELinux on our machines, it seems to be on everywhere. I think maybe that engineer was just making things up?

                        cc-lnx-jump
                        SELinux status:                 enabled
                        SELinuxfs mount:                /sys/fs/selinux
                        SELinux root directory:         /etc/selinux
                        Loaded policy name:             targeted
                        Current mode:                   enforcing
                        Mode from config file:          enforcing
                        Policy MLS status:              enabled
                        Policy deny_unknown status:     allowed
                        Max kernel policy version:      28
                    
                        cc-lnx-dev1
                        SELinux status:                 enabled
                        SELinuxfs mount:                /sys/fs/selinux
                        SELinux root directory:         /etc/selinux
                        Loaded policy name:             targeted
                        Current mode:                   enforcing
                        Mode from config file:          enforcing
                        Policy MLS status:              enabled
                        Policy deny_unknown status:     allowed
                        Max kernel policy version:      28
                    
                        cc-lnx-rh7lab
                        SELinux status:                 enabled
                        SELinuxfs mount:                /sys/fs/selinux
                        SELinux root directory:         /etc/selinux
                        Loaded policy name:             targeted
                        Current mode:                   enforcing
                        Mode from config file:          enforcing
                        Policy MLS status:              enabled
                        Policy deny_unknown status:     allowed
                        Max kernel policy version:      28
                         
                        cc-lnx-rh6lab
                        SELinux status:                 enabled
                        SELinuxfs mount:                /selinux
                        Current mode:                   enforcing
                        Mode from config file:          enforcing
                        Policy version:                 24
                        Policy from config file:        targeted
                    
                        cc-lnx-dblab1
                        SELinux status:                 enabled
                        SELinuxfs mount:                /sys/fs/selinux
                        SELinux root directory:         /etc/selinux
                        Loaded policy name:             targeted
                        Current mode:                   enforcing
                        Mode from config file:          enforcing
                        Policy MLS status:              enabled
                        Policy deny_unknown status:     allowed
                        Max kernel policy version:      28
                    
                        cc-lnx-dblab2
                        SELinux status:                 enabled
                        SELinuxfs mount:                /sys/fs/selinux
                        SELinux root directory:         /etc/selinux
                        Loaded policy name:             targeted
                        Current mode:                   enforcing
                        Mode from config file:          enforcing
                        Policy MLS status:              enabled
                        Policy deny_unknown status:     allowed
                        Max kernel policy version:      28
                    
                        cc-lnx-dblab3
                        SELinux status:                 enabled
                        SELinuxfs mount:                /sys/fs/selinux
                        SELinux root directory:         /etc/selinux
                        Loaded policy name:             targeted
                        Current mode:                   enforcing
                        Mode from config file:          enforcing
                        Policy MLS status:              enabled
                        Policy deny_unknown status:     allowed
                        Max kernel policy version:      28
                    

                    Maybe it's possible. It's not even the same guy that was responding to the case before.

                    1 Reply Last reply Reply Quote 0
                    • scottalanmillerS
                      scottalanmiller @MattSpeller
                      last edited by

                      @MattSpeller said:

                      For we who are linux noobs, can you give maybe a short TL;DR of the problem?

                      His system couldn't reboot. They claimed that the reason was that a major security feature had to be disabled. SELinux is a level of security that Windows doesn't really have. It's policy security.

                      1 Reply Last reply Reply Quote 2
                      • gcamachoG
                        gcamacho
                        last edited by

                        I am a Co-Founder of CloudAtCost.
                        This might be misread and I think the support person was trying to say that they don't support the configuration of SELinux and that they are responsible for the operation of the server from a hardware level and any changes you perform in your guest OS us up to the you to maintain.

                        scottalanmillerS 1 Reply Last reply Reply Quote 1
                        • scottalanmillerS
                          scottalanmiller @gcamacho
                          last edited by

                          @gcamacho said:

                          I am a Co-Founder of CloudAtCost.
                          This might be misread and I think the support person was trying to say that they don't support the configuration of SELinux and that they are responsible for the operation of the server from a hardware level and any changes you perform in your guest OS us up to the you to maintain.

                          That would make sense, obviously if using SELinux and you disable your own server, that's your problem. I'll find a link to the thread. It was @thecreativeone91 that had the direct contact with the support person.

                          1 Reply Last reply Reply Quote 0
                          • ?
                            A Former User
                            last edited by

                            Yeah. I guess it's more of a We don't support this configuration but this is what I (but he said we) recommend in order to not have boot issues.

                            scottalanmillerS 1 Reply Last reply Reply Quote 0
                            • scottalanmillerS
                              scottalanmiller @A Former User
                              last edited by

                              @thecreativeone91 said:

                              Yeah. I guess it's more of a We don't support this configuration but this is what I (but he said we) recommend in order to not have boot issues.

                              I've been on SELinux for a long time, have never seen a boot issue from it. Was anything changed to cause this? Did you ever come up with the underlying problem?

                              ? 1 Reply Last reply Reply Quote 0
                              • ?
                                A Former User @scottalanmiller
                                last edited by

                                @scottalanmiller said:

                                @thecreativeone91 said:

                                Yeah. I guess it's more of a We don't support this configuration but this is what I (but he said we) recommend in order to not have boot issues.

                                I've been on SELinux for a long time, have never seen a boot issue from it. Was anything changed to cause this? Did you ever come up with the underlying problem?

                                Nope. I was just told I would have to re-image it.

                                scottalanmillerS 1 Reply Last reply Reply Quote 0
                                • scottalanmillerS
                                  scottalanmiller @A Former User
                                  last edited by

                                  @thecreativeone91 said:

                                  @scottalanmiller said:

                                  @thecreativeone91 said:

                                  Yeah. I guess it's more of a We don't support this configuration but this is what I (but he said we) recommend in order to not have boot issues.

                                  I've been on SELinux for a long time, have never seen a boot issue from it. Was anything changed to cause this? Did you ever come up with the underlying problem?

                                  Nope. I was just told I would have to re-image it.

                                  Oh, that really sucks. Do you have any idea what occurred prior to having it fail that could have lead to the issue? Leaving it with "oh, it just didn't work" sucks because sure, it might be your fault, but it could easily be theirs too. No way to know what happened. No way to go back to the last image and see what the state ways.

                                  ? 1 Reply Last reply Reply Quote 0
                                  • ?
                                    A Former User @scottalanmiller
                                    last edited by

                                    @scottalanmiller said:

                                    @thecreativeone91 said:

                                    @scottalanmiller said:

                                    @thecreativeone91 said:

                                    Yeah. I guess it's more of a We don't support this configuration but this is what I (but he said we) recommend in order to not have boot issues.

                                    I've been on SELinux for a long time, have never seen a boot issue from it. Was anything changed to cause this? Did you ever come up with the underlying problem?

                                    Nope. I was just told I would have to re-image it.

                                    Oh, that really sucks. Do you have any idea what occurred prior to having it fail that could have lead to the issue? Leaving it with "oh, it just didn't work" sucks because sure, it might be your fault, but it could easily be theirs too. No way to know what happened. No way to go back to the last image and see what the state ways.

                                    Yeah I have no idea. Last thing I did was upload some Concrete 5 files via SCP which kept failing. Rebooted because of the problems and it came up to this.

                                    1 Reply Last reply Reply Quote 0
                                    • ?
                                      A Former User
                                      last edited by

                                      Snap shots would be really nice.

                                      1 Reply Last reply Reply Quote 1
                                      • ?
                                        A Former User
                                        last edited by

                                        They sent this update

                                        To further clarify as I believe the meaning may have been lost in my phrasing (I apologize), the error you're receiving on boot indicates that SELinux was for some reason disable improperly (ie. not with the config files -- If the kernel looks for SELinux but it is gone, it will cause kernel or init halts, or even full-blown kernel panics.

                                        Not sure how it would get disabled or changed without using the config files?

                                        1 Reply Last reply Reply Quote 1
                                        • 1 / 1
                                        • First post
                                          Last post