CloudatCost Doesn't Fully Support CentOS SELinux
-
In another thread it was reported that CentOS' security system, SELinux, must be set to permissive (off) in order for CentOS to remain stable on CloudatCost. This is obviously not good at all. Can this be true @charlie @AmanBhogal ? This is a major stability and security flaw.
What is being done to address this significant issue?
-
This also brings up a more minor issue... why is SELinux installed if it must be left untouched? Best practices are to have it enabled. This means that just following elementary best practices causes instability.
-
@scottalanmiller said:
why is SELinux installed if it must be left untouched?
I think their image set's it to permissive by default.
-
@thecreativeone91 said:
@scottalanmiller said:
why is SELinux installed if it must be left untouched?
I think their image set's it to permissive by default.
It must or there would be a disaster. But even so, anyone using things like Chef or Puppet, just following best practices, scripting administration, etc. would automatically turn it on.
-
I've noticed FirewallD turned off by default too.
-
-
Looking at SELinux on our machines, it seems to be on everywhere. I think maybe that engineer was just making things up?
cc-lnx-jump SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 28 cc-lnx-dev1 SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 28 cc-lnx-rh7lab SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 28 cc-lnx-rh6lab SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 24 Policy from config file: targeted cc-lnx-dblab1 SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 28 cc-lnx-dblab2 SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 28 cc-lnx-dblab3 SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 28 -
For we who are linux noobs, can you give maybe a short TL;DR of the problem?
-
@scottalanmiller said:
Looking at SELinux on our machines, it seems to be on everywhere. I think maybe that engineer was just making things up?
cc-lnx-jump SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 28 cc-lnx-dev1 SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 28 cc-lnx-rh7lab SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 28 cc-lnx-rh6lab SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 24 Policy from config file: targeted cc-lnx-dblab1 SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 28 cc-lnx-dblab2 SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 28 cc-lnx-dblab3 SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 28Maybe it's possible. It's not even the same guy that was responding to the case before.
-
@MattSpeller said:
For we who are linux noobs, can you give maybe a short TL;DR of the problem?
His system couldn't reboot. They claimed that the reason was that a major security feature had to be disabled. SELinux is a level of security that Windows doesn't really have. It's policy security.
-
I am a Co-Founder of CloudAtCost.
This might be misread and I think the support person was trying to say that they don't support the configuration of SELinux and that they are responsible for the operation of the server from a hardware level and any changes you perform in your guest OS us up to the you to maintain. -
@gcamacho said:
I am a Co-Founder of CloudAtCost.
This might be misread and I think the support person was trying to say that they don't support the configuration of SELinux and that they are responsible for the operation of the server from a hardware level and any changes you perform in your guest OS us up to the you to maintain.That would make sense, obviously if using SELinux and you disable your own server, that's your problem. I'll find a link to the thread. It was @thecreativeone91 that had the direct contact with the support person.
-
Yeah. I guess it's more of a We don't support this configuration but this is what I (but he said we) recommend in order to not have boot issues.
-
@thecreativeone91 said:
Yeah. I guess it's more of a We don't support this configuration but this is what I (but he said we) recommend in order to not have boot issues.
I've been on SELinux for a long time, have never seen a boot issue from it. Was anything changed to cause this? Did you ever come up with the underlying problem?
-
@scottalanmiller said:
@thecreativeone91 said:
Yeah. I guess it's more of a We don't support this configuration but this is what I (but he said we) recommend in order to not have boot issues.
I've been on SELinux for a long time, have never seen a boot issue from it. Was anything changed to cause this? Did you ever come up with the underlying problem?
Nope. I was just told I would have to re-image it.
-
@thecreativeone91 said:
@scottalanmiller said:
@thecreativeone91 said:
Yeah. I guess it's more of a We don't support this configuration but this is what I (but he said we) recommend in order to not have boot issues.
I've been on SELinux for a long time, have never seen a boot issue from it. Was anything changed to cause this? Did you ever come up with the underlying problem?
Nope. I was just told I would have to re-image it.
Oh, that really sucks. Do you have any idea what occurred prior to having it fail that could have lead to the issue? Leaving it with "oh, it just didn't work" sucks because sure, it might be your fault, but it could easily be theirs too. No way to know what happened. No way to go back to the last image and see what the state ways.
-
@scottalanmiller said:
@thecreativeone91 said:
@scottalanmiller said:
@thecreativeone91 said:
Yeah. I guess it's more of a We don't support this configuration but this is what I (but he said we) recommend in order to not have boot issues.
I've been on SELinux for a long time, have never seen a boot issue from it. Was anything changed to cause this? Did you ever come up with the underlying problem?
Nope. I was just told I would have to re-image it.
Oh, that really sucks. Do you have any idea what occurred prior to having it fail that could have lead to the issue? Leaving it with "oh, it just didn't work" sucks because sure, it might be your fault, but it could easily be theirs too. No way to know what happened. No way to go back to the last image and see what the state ways.
Yeah I have no idea. Last thing I did was upload some Concrete 5 files via SCP which kept failing. Rebooted because of the problems and it came up to this.
-
Snap shots would be really nice.
-
They sent this update
To further clarify as I believe the meaning may have been lost in my phrasing (I apologize), the error you're receiving on boot indicates that SELinux was for some reason disable improperly (ie. not with the config files -- If the kernel looks for SELinux but it is gone, it will cause kernel or init halts, or even full-blown kernel panics.
Not sure how it would get disabled or changed without using the config files?
