Linode, SELinux, and Vultr logos

Linode and Vultr no longer disables SELinux by default in Fedora Server 27

The two virtual private server (VPS) hosting providers Linode and Vultr have been offering server instances of Fedora Server with Security-Enhanced Linux (SELinux) enforcement disabled by default. New instances deployed with Fedora Server 27 now enable SELinux in enforcing mode by default; aligning them to the upstream Fedora defaults.

SELinux is a mandatory access control system managed by a set of security policies that the Kernel use to limit what processes and users can do on the system. One of Fedora’s differentiating features compared to other Linux distributions is its well-maintained and low-friction default SELinux policy set.

Disabling of SELinux

Both Linode and Vultr used to disable SELinux by default, which meant customers didn’t get the same experience when deploying servers through these server providers when compared to a default installation of Fedora Server edition.

Linode replaced the kernel provided by the Fedora project with their own Linode Unified Kernel (LUK). My review of Linode VPS contains a long section detailing LUK. LUK was being compiled with SELinux disabled, but Linode hadn’t actually disabled SELinux – causing some funny boot time messages about SELinux being turned on but not being available in the Kernel. The result was that the SELinux policy set wasn’t being enforced. Re-enabling the default Fedora kernel — to enable SELinux with it — required changes to the server’s configuration in the Linode Manager, plus enough knowledge to relabel and repair a system with broken SELinux labels.

Vultr had just disabled the SELinux option while keeping the default kernel. Resetting to default enabled state required restoring the configuration for SELinux and a full relabeling of the system.

Aligning with upstream defaults

If you deploy a new instance of Fedora Server 27 on Linode today, you’ll now get an unmodified system image that is enforcing SELinux policies by default.

Vultr have been enforcing SELinux by default in all supported versions of Fedora since .

Note that updating an existing Fedora Server instance with either Linode or Vultr won’t suddenly enable SELinux. The change only applies to new instances deployed for the specific versions or since the dates mentioned above.

These changes means Fedora users who deploy with any of these cloud service providers now get a system that is much closer to the default Fedora Server experience. Documentation and community support now match the default experiences with Fedora.

Why the change happened

I wasn’t happy after having made the switch from DigitalOcean, another VPS hosting provider, to Linode and found that my distribution of choice, Fedora 22 at the time, differed greatly from Fedora on DigitalOcean and on my own hardware. I vented some frustration in my Linode review, made the [complex] required changes to use the default Fedora kernel, and let it be with that.

Some months later I was managing more instances on Linode, and had started playing with Vultr as a possible Linode replacement. Vultr reportedly has slightly better performance than Linode for the same cost, so I thought I’d have a look at it. Again, I was frustrated when I found out that Vultr also had disabled SELinux by default!

I remember having read about Canonical taking action against modified versions of Ubuntu offered with some service providers. Ubuntu includes a clause that you have to change the name if you modify and redistribute copies of Ubuntu to others, on grounds of protecting the Ubuntu trademark. After some research, I found that Fedora actually had similar legal requirements for use of their trademark to those of Ubuntu.

The gist of these trademark use requirements means that Linode and Vultr would have to rename their modified versions of Fedora to something like “Linode Fedora Remix” in marketing to clearly differentiate it from the upstream Fedora as distributed by the Fedora project. I would have been perfectly happy with this resolution as I’d know that I wasn’t getting the stock default Fedora Server edition with this naming scheme.

I proceeded to open a ticket with the Fedora Council requesting that the council look into the matter of modified VPS images as distributed by these two cloud providers. The matter was referred to Tom ‘spot’ Callaway of the Fedora legal team who worked with Lindoe and Vultr. Vultr was able to resolve the matter in four months, while it took Linode seven months to resolve the issue.


In summary, both Linode and Vultr are great cheap options for all your virtual private server hosting needs for Fedora Server edition!