Introduction to SELinux and AppArmor

By Jennifer Mathew

Updated on May 11, 2024

In this tutorial, we'll discuss about introduction to SELinux and AppArmor understanding mandatory access control mechanisms. In the world of Linux security, Mandatory Access Control (MAC) mechanisms play a crucial role in enforcing policies to restrict the actions of users and processes on a system.

Two popular MAC implementations for Linux are SELinux (Security-Enhanced Linux) and AppArmor. These tools offer granular control over system resources, enhancing security by confining the capabilities of programs and users.

SELinux vs. AppArmor

Before diving into installation and configuration, let's briefly differentiate between SELinux and AppArmor:

SELinux: Developed by the National Security Agency (NSA), SELinux integrates MAC into the Linux kernel. It defines security policies using labels attached to files, processes, and ports. SELinux operates on the principle of least privilege, meaning that by default, all operations are denied unless explicitly allowed by policy rules.

AppArmor: Originally developed by Immunix, AppArmor is a MAC system that confines individual programs rather than entire processes. It uses profiles to specify which files and capabilities a program can access. Unlike SELinux, which uses a label-based approach, AppArmor relies on pathnames to enforce policies.

Both SELinux and AppArmor provide robust security measures, but the choice between them often depends on user preference and system requirements.

Installation

SELinux Installation

SELinux is typically included in most Linux distributions. However, ensure that it's installed and enabled on your system by following these steps:

1. Check SELinux status:

sestatus

If SELinux is not installed, you can install it using your package manager. For example, on CentOS/RHEL, you can use:

sudo yum install policycoreutils selinux-policy-targeted

2. Reboot your system to apply SELinux changes:

sudo reboot

AppArmor Installation

AppArmor is also pre-installed on some distributions but may require manual installation on others. Here's how to install it:

1. Check AppArmor status:

sudo apparmor_status

If AppArmor is not installed, you can install it using your package manager. For example, on Ubuntu/Debian, you can use:

sudo apt-get install apparmor apparmor-utils

2.Enable the AppArmor service:

sudo systemctl enable apparmor
sudo systemctl start apparmor

Configuration

SELinux Configuration

SELinux configuration involves managing policies and contexts. Here are some common SELinux commands:

  • `semanage`: Manage SELinux policy settings.
  • `sestatus`: Display SELinux status information.
  • `setenforce`: Set the SELinux enforcement mode (Enforcing, Permissive, Disabled).
  • `chcon`: Change SELinux security context of files or directories.

To set a file context for Apache web server content, for example:

sudo semanage fcontext -a -t httpd_sys_content_t '/var/www/html(/.*)?'
sudo restorecon -Rv /var/www/html

AppArmor Configuration

AppArmor configuration mainly revolves around creating and managing profiles for individual applications. Here are some key commands:

  • `aa-status`: Display AppArmor status.
  • `aa-genprof`: Generate a profile for an application.
  • `aa-logprof`: Analyze and adjust existing AppArmor profiles.
  • `aa-enforce, aa-complain`: Set enforcement mode for a profile (Enforce or Complain).

To create a profile for the nginx web server, for instance:

sudo aa-genprof /usr/sbin/nginx

Basic Policies

SELinux Policies

SELinux policies consist of rules that define the access permissions for various system resources. These policies are enforced based on labels assigned to objects. Here's a simple example of allowing Apache to connect to the network:

sudo setsebool -P httpd_can_network_connect 1

AppArmor Policies

AppArmor policies specify which files and resources an application can access. These policies are defined in profile files. Below is an example of an AppArmor profile for Apache (/etc/apparmor.d/usr.sbin.apache2):

# Last Modified: Tue May 26 12:01:23 2020
#include <tunables/global>

/usr/sbin/apache2 {
  #include <abstractions/base>
  # Site-specific additions and overrides. See local/README for details.
  /etc/apache2/ r,
  /etc/apache2/** r,
  /var/www/html/ r,
  /var/www/html/** rwk,
  network tcp,
}

Conclusion

We have seen introduction to SELinux and AppArmor. SELinux and AppArmor are powerful tools for enforcing Mandatory Access Control policies on Linux systems. By understanding their installation, configuration, and basic policies, you can enhance the security posture of your system.