↑ Return to Products and Services

EC2 Ubuntu 17.04 SELinux Enforcing HVM

This Ubunutu 17.04 (code name Zesty) is a minimal server version with SELinux enabled and enforcing, designed to run state-of-the-art applications, stably and securely.  The AMI runs on Ubuntu’s latest 4.10 kernel which includes writeback throttling, encryption in UBIFS, and more.  Perhaps more importantly, this is the only LTS SELinux enabled and enforcing Ubuntu in AWS Marketplace.  It has an ec2-user user context, updated policies and seboolean settings for cron, ssh, sudo and scp.

Minimal policy and seboolean settings means you start with a secure image and loosen, as needed.  It is built as a Hardware Virtualized Machine (HVM), 64 bit operating system.  Apparmor is not a replacement for SELinux.  If you are running Ubuntu in AWS, this AMI delivers unrivaled security to your deployments.

To access ‘root’ user on the command-line:

1)  Assume root login via sudo – e.g. sudo su -

If you have problems with the above command, run this first:

1) As ec2-user, run: sudo setenforce 0; sudo su -

2) If you ran #2 above, as root, run: setenforce 1 as soon as possible to reduce vulnerability.


To create new SELinux policies to support applications and their configurations:

1)  Install your application.  Depending on the parent directory, you may need to be root user to do that. As an example for step #2 below, let the install directory be /usr/local/myapp

2) Though there are other ways to do it, an easy way to add a file context to new files is by restoring file context recursively to the parent directory of the installed application’s base directory, eg:  sudo restorecon -r /usr/local

3) As root user, clear out the audit.log file, e.g. >/var/log/audit/audit.log

4) Using the appropriate user account ID, run your application or process

NOTE: the application should and will likely fail to run since there is no security policy for it.

5)  Assume root user again

6)  Run: sudo grep type=AVC /var/log/audit/audit.log|grep denied|grep -v grep| audit2allow -M newpolicy

NOTE: ‘newpolicy’ is an example policy name. New policy names can be anything, but must be unique (i.e. unused).  The policy file created can be copied and used on any new servers.

7) Run: sudo semodule -i newpolicy.pp

8) Re-run your application with the appropriate account ID.

NOTE: You may need to re-run 3 through 7 repeatedly, until the application fully initializes and remains running. If the application fails to start, all of the application processes and calls may not have been invoked and the audit daemon will not have logged all of the security issues.

NOTE: Some applications may require additional settings using the ‘setsebool’ command.

9) If you don’t run restorecon (#2 above) or it seems to not be working, it may be because you are unsure/unaware of all file paths created from your installation package. You should run: sudo restorecon -r / -OR- sudo touch /.autorelabel and sudo reboot to ensure all new files on the system are relabeled with a proper security context.