Configure SELinux

Security-Enhanced Linux (SELinux) is a security feature for Linux that allows you to set access control through policies. Eucalyptus 4.4 packages automatically install SELinux policy for Eucalyptus on RHEL 7 and CentOS 7.

We recommend enabling SELinux on host systems running Eucalyptus 4.4 services to improve their security on RHEL 7. Enabling SELinux, as described in this topic, can help contain break-ins. For more information, see RedHat SELinux documentation.

You need to set boolean values on Storage Controller (SC) and Management Console host machines. If your network mode is VPCMIDO, you also set a boolean value on the Cloud Controller (CLC) host machines.

To configure SELinux on Eucalyptus 4.4:

  1. On each Storage Controller (SC) host machine, run the following command:
    setsebool -P eucalyptus_storage_controller 1

    This allows Eucalyptus to manage EBS volumes.

  2. On each Management Console host machine, run the following command:
    setsebool -P httpd_can_network_connect 1

    This allows the Management Console's HTTP proxy to access the back end.

    Tip: If you can't access the console after starting it, this KB article might help: Cannot access eucaconsole when SELinux set to enforcing.
  3. If your cloud uses VPCMIDO networking mode, on the Cloud Controller (CLC), run the following command:
    setsebool -P httpd_can_network_connect 1

    This allows the CLC's HTTP proxy to access the back end.

SELinux is now configured and ready to use with your Eucalyptus 4.4 cloud.