SELinux And Other Linux Image Updates

SELinux support and updated CentOS 5.8 images
Much of the Linux community is familiar with the SELinux project, which describes itself as “a security enhancement to Linux which allows users and administrators more control over access control.”

In contrast with the built-in Linux permissions models for files, which are typically “read, write and execute,” SELinux allows for fine-grained policies to be defined for resources. Those resources are not limited to files, but also to network processes, interprocess communications and more.

SELinux support is typically either built into a distribution, such as Fedora, Red Hat Enterprise Linux and CentOS, or it can be added via packages, in the case of Ubuntu and other distributions.

When using SELinux, there are three basic modes in which it operates:

  • Off: Not enabled (or not included by default in distribution)
  • Permissive: Logs security concerns/violations but doesn’t enforce any rules
  • Enforced: Highest level of security, enforces all policies

At Rackspace, we want to provide our customers with the highest level of security possible, while maintaining as much compatibility and preventing user pain across the broad range of customers using our services.  While the Enforced mode offers the highest level of security out of the box, it can also be confusing for new users and cause problems for certain deployments. In addition, we want our base Linux images to be the distro defaults as much as possible.

To that end, we have decided to enable SELinux in Rackspace images using the following formula:

In short, we use the distro default unless the default is Enforced mode, in which case we will configure the image for Permissive mode. We believe this approach will allow users to get more acquainted with the security features of SELinux without the risk of breaking any existing functionality. For those who wish to move from Permissive to Enforce mode, the Fedora Project (as well as most distributions) have excellent tutorials like this one. Of course, if you are a Managed Cloud customer, you can always contact us and we’d be more than happy to help you through configuring SELinux.

Following the above approach, we have re-released CentOS 5.8, the first image with SELinux enabled (in Permissive mode).  You’ll find the updated image in both first and next generation Cloud Servers, ready for your use today.

In the coming weeks, we will be updating our other Linux distributions to conform to our SELinux guidelines.  These images are:

  • Fedora 17 and 16
  • Red Hat Enterprise Linux 6.x and 5.x
  • CentOS 6.x and 5.x

We plan to stagger updates to the images over the coming months and will have the changes in both first and next generation Cloud Servers completed no later than November 30th.  All new versions of Linux images going forward will also follow these SELinux guidelines.

Stay tuned to the blog and Control Panel for updates.

Arch Linux 2012.08, Gentoo 12.3
We’ve received a lot of feedback and suggestions about our Arch Linux and Gentoo offerings, and in response we’ve updated both of these distributions in first and next generation Cloud Servers. Effective immediately, Arch Linux 2012.08 and Gentoo 12.3 are now available.

Richard Goodwin joined Rackspace as a Product Manager in June 2012, focusing on images and the OpenStack Glance project in the Cloud Compute team. Before joining Rackspace, he helped manage and launch a series of online services, including online backup, in the group at Symantec Corp. He has a long history in both web services and storage technologies, with almost a decade each at Symantec and Dell Inc. serving enterprise and SMB customers.


  1. I just booted CentOS 6.5 and it has SELinux turned off while CentOS definitely has this enabled. Did something change?


Please enter your comment!
Please enter your name here