Skip to content

aws/amazon-ssm-agent-selinux

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

43 Commits

.github

.github

 
 

.gitignore

.gitignore

 
 

CODE_OF_CONDUCT.md

CODE_OF_CONDUCT.md

 
 

CONTRIBUTING.md

CONTRIBUTING.md

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

RELEASENOTES.md

RELEASENOTES.md

 
 

amazon_ssm_agent.fc

amazon_ssm_agent.fc

 
 

amazon_ssm_agent.if

amazon_ssm_agent.if

 
 

amazon_ssm_agent.sh

amazon_ssm_agent.sh

 
 

amazon_ssm_agent.te

amazon_ssm_agent.te

 
 

amazon_ssm_agent_selinux.8

amazon_ssm_agent_selinux.8

 
 

amazon_ssm_agent_selinux.spec

amazon_ssm_agent_selinux.spec

 
 

Repository files navigation

AMAZON-SSM-AGENT-SELINUX POLICY

Note - This policy has been tested to work on AL2 only for now. Please make sure that the OS you are using is AL2.
Note - This policy forfeits sudo access on the machine that utilizes it i.e. you will lose access to the root level user.

This is the SELinux policy for AWS SSM agent. Install this policy to confine your SSM agent processes.

Installation instructions

Note - It is recommended to start SELinux in permissive mode before enabling it in enforcement mode.

Make sure Amazon SSM agent service is installed and running before compiling and installing the SELinux policy:

sudo yum install amazon-ssm-agent
sudo systemctl start amazon-ssm-agent

Run the following commands:

sudo yum update
sudo yum install policycoreutils-devel rpm-build git

To build and install the SELinux policy, make sure that SELinux config file is in permissive or enforcing mode in /etc/selinux/config file:

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of three two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected. 
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

Clone the repository, build and install using the commands below:

git clone https://github.com/aws/amazon-ssm-agent-selinux.git
cd amazon-ssm-agent-selinux
chmod +x amazon_ssm_agent.sh
sudo ./amazon_ssm_agent.sh

Reboot the instance and verify that your instance is in enforcing mode or permissive mode as chosen:

sudo sestatus

SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      31

List the SSM processes to check that they are confined:


ps -efZ | grep -i amazon

system_u:system_r:amazon_ssm_agent_t:s0 root 5665  1  0 00:15 ?        00:00:02 /usr/bin/amazon-ssm-agent
system_u:system_r:amazon_ssm_agent_t:s0 root 5746 5665  0 00:15 ?      00:00:02 /usr/bin/ssm-agent-worker

Security

See CONTRIBUTING for more information.

License

This library is licensed under the GNU GPL v2 License.

About

SELinux policy to confine Amazon SSM agent

aws.amazon.com/systems-manager/

Resources

Readme

License

GPL-2.0 license

Code of conduct

Code of conduct

Security policy

Security policy
Activity
Custom properties

Stars

7 stars

Watchers

7 watching

Forks

4 forks
Report repository

Releases 2

Amazon SSM Agent SELinux - Release 1.0.11.0 - 2024-05-10 Latest
May 10, 2024
+ 1 release

Packages

No packages published

Contributors 4

  •  
  •  
  •  
  •  

Languages