CentOS 7 AMI on AWS has SELinux enabled

published on centos, selinux

Having configured a working VagrantFile that could spin up a CentOS 7 image on Digital Ocean, install and configure Ghost + nginx (see cruskit/vagrant-ghost, it should have been a simple matter of adding the AWS Vagrant provider to get the image running on AWS as well...

It was easy enough to add the provider, and provisioning would run without errors, but nginx would return bad gateway errors whenever trying to proxy to Ghost. Checking the nodejs Ghost process, it thought it was up and running ok. Trying to access the Ghost port (2368) however, didn't play so nicely and wouldn't connect.

After a bit a of troubleshooting, it turns out that the AWS CentOS 7 AMI has SELinux (Security Enhanced Linux) enabled, whereas it is disabled in the Digital Ocean image. SELinux has a preconfigured list of HTTP ports that it allows connectivity on and 2368 was not one of these and so it was being blocked.

(To be fair, SELinux being enabled is mentioned in the AMI notes, but I missed it...)

So, to make it work it was necessary to add 2368 to the list of allowed http ports. This can be done via semanage using: 

semanage port -a -t http_port_t  -p tcp 2368

(It would also have been possible to disable SELinux by editing /etc/selinux/config and setting SELINUX=disabled and then performing a reboot, but building a reboot into a vagrant provisioning sequence would be a pain, and for a prod box it would be nice to leave SELinux enabled anyway.)

Some simple commands that can help you trying to troubleshoot an issue like this:

Find out whether SELinux is running and its status: 

sestatus

Find things that SELinux is impacting: 

cat /var/log/messages | grep "SELinux"

List the configured ports in SELinux: 

semanage port -l

produces output (filtered for http) like: 

http_port_t   tcp  80, 81, 443, 488, 8008, 8009, 8443, 9000

If you want further info the following are useful: