SELinux support and updated CentOS 5.8 images
Much of the Linux community is familiar with the SELinux project, which describes itself as “a security enhancement to Linux which allows users and administrators more control over access control.”
In contrast with the built-in Linux permissions models for files, which are typically “read, write and execute,” SELinux allows for fine-grained policies to be defined for resources. Those resources are not limited to files, but also to network processes, interprocess communications and more.
SELinux support is typically either built into a distribution, such as Fedora, Red Hat Enterprise Linux and CentOS, or it can be added via packages, in the case of Ubuntu and other distributions.
When using SELinux, there are three basic modes in which it operates:
- Off: Not enabled (or not included by default in distribution)
- Permissive: Logs security concerns/violations but doesn’t enforce any rules
- Enforced: Highest level of security, enforces all policies
At Rackspace, we want to provide our customers with the highest level of security possible, while maintaining as much compatibility and preventing user pain across the broad range of customers using our services. While the Enforced mode offers the highest level of security out of the box, it can also be confusing for new users and cause problems for certain deployments. In addition, we want our base Linux images to be the distro defaults as much as possible.
To that end, we have decided to enable SELinux in Rackspace images using the following formula:
In short, we use the distro default unless the default is Enforced mode, in which case we will configure the image for Permissive mode. We believe this approach will allow users to get more acquainted with the security features of SELinux without the risk of breaking any existing functionality. For those who wish to move from Permissive to Enforce mode, the Fedora Project (as well as most distributions) have excellent tutorials like this one. Of course, if you are a Managed Cloud customer, you can always contact us and we’d be more than happy to help you through configuring SELinux.
Following the above approach, we have re-released CentOS 5.8, the first image with SELinux enabled (in Permissive mode). You’ll find the updated image in both first and next generation Cloud Servers, ready for your use today.
In the coming weeks, we will be updating our other Linux distributions to conform to our SELinux guidelines. These images are:
- Fedora 17 and 16
- Red Hat Enterprise Linux 6.x and 5.x
- CentOS 6.x and 5.x
We plan to stagger updates to the images over the coming months and will have the changes in both first and next generation Cloud Servers completed no later than November 30th. All new versions of Linux images going forward will also follow these SELinux guidelines.
Stay tuned to the blog and Control Panel for updates.
Arch Linux 2012.08, Gentoo 12.3
We’ve received a lot of feedback and suggestions about our Arch Linux and Gentoo offerings, and in response we’ve updated both of these distributions in first and next generation Cloud Servers. Effective immediately, Arch Linux 2012.08 and Gentoo 12.3 are now available.