Need appropriate SELinux type enforcement profile to work on hardened EL7 instances about aws-ec2-instance-connect-config HOT 12 OPEN

I should clarify, while this policy serves as a good reference we are not currently working on including it the SELinux policy into the package itself. There are broader implications to consider about changing the sshd security policy (particularly granting it curl and ssh-keygen access).

That said, RHEL support is high on our radar and we are evaluating our options for support.

from aws-ec2-instance-connect-config.

Aha! Did a bit of digging with audit.log and found the issue. On EL8 the ssh-keygen invocation was failing on map permission - adding it to the file type and the ssh_keygen_exec_t:file domain got things working.

from aws-ec2-instance-connect-config.

Also just ran into this on Amazon Linux 2 while testing a CIS-benchmarked image. Thanks @n0coast for posting a comment with that error message, I don't know how long it would've taken me to find this otherwise!

from aws-ec2-instance-connect-config.

Finally got tasked to create our RHEL8 and CentOS8 AMIs for a couple of our customers. So, need to revisit the status of this. I can bake creation of policies into our AMI-generation process …but would be so much easier if the packaging of InstanceConnect just included things.

Any anticipated timeframe, yet, for sorting the SELinux policies out and including them in the RPM?

from aws-ec2-instance-connect-config.

I've run into this on Amazon Linux 2 as well, with selinux enabled instance connect fails - with the definition @ferricoxide provided at the top of the thread applied instance connect works again.

For the moment I can bake this into my AMIs, but it'd be great if this was just included with the rpm - or at least noted in documentation.

As a side note the only indication of this issue is a message in /var/log/secure: sshd[4287]: error: AuthorizedKeysCommand /opt/aws/bin/eic_run_authorized_keys ec2-user SHA256:...... failed, status 7

As of early November '19 if you are running this on AZ2 you'll need to systemctl enable rhel-autorelabel (which is owned by the initscripts rpm).

from aws-ec2-instance-connect-config.

Hm, in testing I noticed that when sshd invoked the AuthorizedKeysCommand that fingerprint calculation was now returning an empty string. Removing the cut (ie, so there was no piping) caused the set -e to capture an exit status 139 from ssh-keygen. Manually invoking the command and/or switching sshd_t's domain to permissive let it succeed, so it's definitely a missing allow somewhere.

I can say for certain it's not on ssh_keygen_t/ssh_keygen_exec_t's domains - flipping those to permissive doesn't change behavior at all.

from aws-ec2-instance-connect-config.

K. I'll dig back through. Those were the ones that were creating AVCs on my CentOS 7.6 with this week's patches applied.

from aws-ec2-instance-connect-config.

Might be sufficient on the 7's then, I was testing on a fresh RHEL8 instance. I'd prefer if we can figure out a single succifient entry rather than needing to split things more.

from aws-ec2-instance-connect-config.

Unfortunately, my customer only authorizes EL7 (and EL6, euw) for their cloud-based deployments. My plans are to keep ahead of the curve and move to EL8 long before the STIGs come out. However, I'm trying to wait to switch till I've re-upped my RHCE on EL7 (and also prefer to wait until I can upgrade my VPS to CentOS 8).

Long-winded way of offering to help with EL7 stuff pending any future ability to help with EL8. :)

from aws-ec2-instance-connect-config.

Just trying to stay abreast of things: any additional input (etc.) you need from me?

from aws-ec2-instance-connect-config.

@ferricoxide Thanks for including the error message in a high-quality issue – I ran into this while searching through SELinux logs and while I was able to resolve it by having Ansible remove the ec2-instance-connect because this particular project doesn't use public IPs that won't be true of some of the other projects which I support.

from aws-ec2-instance-connect-config.

What a bummer this wasn't incorporated into the project. Luckily you made this issue and I was able to incorporate it into my AMI build.

from aws-ec2-instance-connect-config.