Linux_security
Chapter 33: Linux Security - SELinux and AppArmor In-Depth
Section titled “Chapter 33: Linux Security - SELinux and AppArmor In-Depth”Overview
Section titled “Overview”Linux Security Modules (LSM) provide mandatory access control (MAC) beyond traditional Unix permissions. SELinux and AppArmor are the two main implementations. This chapter covers both in depth with practical examples essential for production environments.
31.1 SELinux Fundamentals
Section titled “31.1 SELinux Fundamentals”What is SELinux?
Section titled “What is SELinux?” SELinux Security Context+------------------------------------------------------------------+| || Security Context Enforcement || +----------+ || | User | || +----+-----+ || | || v || +----------+ || | Role | || +----+-----+ || | || v || +----------+ Process || | Type |-----------+ || +----+-----+ | || | v File || v +----------+ +-------+ || +----------+ | Process |---->| File | || | Level | +----------+ +-------+ || +----------+ | || v Socket || +----------+ +-------+ || | Process |---->|Socket | || +----------+ +-------+ || | || v Directory || +----------+ +---------+ || | Process |---->|Directory| || +----------+ +---------+ || |+------------------------------------------------------------------+SELinux Concepts
Section titled “SELinux Concepts”# SELinux adds security context to:# - Files# - Processes# - Ports# - Users
# Security Context Format# user:role:type:level
# Example contextsunconfined_u:object_r:httpd_sys_content_t:s0system_u:system_r:httpd_t:s031.2 SELinux Modes and States
Section titled “31.2 SELinux Modes and States”Mode Types
Section titled “Mode Types”# Three modes:# 1. Enforcing - Enforces policy, denies access# 2. Permissive - Logs violations but allows# 3. Disabled - Completely off
# Check current modegetenforcesestatus
# Temporary change (resets on reboot)sudo setenforce 1 # Enforcingsudo setenforce 0 # Permissive
# Permanent change# /etc/selinux/configSELINUX=enforcing# orSELINUX=permissive# orSELINUX=disabled31.3 SELinux Contexts
Section titled “31.3 SELinux Contexts”File Contexts
Section titled “File Contexts”# View file contextls -Z /var/www/htmlls -Z /etc/passwd
# View process contextps auxZ | grep nginx
# View port contextsemanage port -l
# View user contextid -ZContext Components
Section titled “Context Components”# User (u)# - SELinux user identity# - system_u, unconfined_u, user_u
# Role (r)# - system_r, object_r, unconfined_r
# Type (t)# - Most important for enforcement# - httpd_sys_content_t, httpd_t, etc.
# Level (s0, s0-s15)# - MLS/MCS sensitivity levelsChanging Contexts
Section titled “Changing Contexts”# Temporarily change file contextchcon -t httpd_sys_content_t /var/www/html/file.html
# Relabel from policyrestorecon -Rv /var/www/html
# Permanently change contextsemanage fcontext -a -t httpd_sys_content_t "/webapp(/.*)?"semanage fcontext -l | grep /webapp
# List all custom contextssemanage fcontext -l31.4 SELinux Booleans
Section titled “31.4 SELinux Booleans”Managing Booleans
Section titled “Managing Booleans”# List all booleansgetsebool -asemanage boolean -l
# List custom booleansgetsebool -a | grep httpd
# Enable booleansetsebool -P httpd_enable_homedirs onsetsebool -P httpd_can_network_connect on
# Disable booleansetsebool -P httpd_can_network_connect off
# Check boolean statusgetsebool httpd_enable_homedirsCommon SELinux Booleans
Section titled “Common SELinux Booleans”# HTTP/Apachehttpd_enable_homedirs # Allow httpd to access home dirshttpd_can_network_connect # Allow HTTP to connect to networkhttpd_enable_cgi # Enable CGIhttpd_use_nfs # Allow Apache to use NFShttpd_use_cifs # Allow Apache to use CIFS
# FTPftp_home_dir # Allow FTP to access home dirsallow_ftpd_full_access # Allow FTP full access
# Sambasmbd_anon_write # Allow SMB to write anonymouslysamba_enable_home_dirs # Enable Samba home directories
# NFSnfs_export_all_ro # NFS export read-onlynfs_export_all_rw # NFS export read-write
# SSHssh_sysadm_login # Allow sysadm users to SSH31.5 SELinux Users
Section titled “31.5 SELinux Users”SELinux User Mapping
Section titled “SELinux User Mapping”# Map Linux user to SELinux usersudo semanage login -a -s user_u -r s0-s0:c0.c1023 username
# List login mappingssudo semanage login -l
# Default login mappings# __default__ user_u:s0-s0:c0.c1023# root root:s0-s0:c0.c1023# system_u system_u:s0-s0:c0.c1023
# Map Linux groupsudo semanage login -a -s staff_u:s0-s0:c0.c1023 -r s0-s0:c0.c1023 @groupname31.6 SELinux Ports
Section titled “31.6 SELinux Ports”Managing Ports
Section titled “Managing Ports”# List port contextssemanage port -l
# Add port to typesudo semanage port -a -t http_port_t -p tcp 8080
# Delete portsudo semanage port -d -t http_port_t -p tcp 8080
# Modify existingsudo semanage port -m -t http_port_t -p tcp 8080
# Example: Add custom port for nginxsudo semanage port -a -t http_port_t -p tcp 888831.7 Troubleshooting SELinux
Section titled “31.7 Troubleshooting SELinux”Common Issues and Solutions
Section titled “Common Issues and Solutions”# Issue: Apache can't read files# Symptom: "Permission denied" in browser# Solution:sudo chcon -R -t httpd_sys_content_t /var/www/html/sudo restorecon -Rv /var/www/html/
# Issue: Apache can't connect to database# Symptom: Can't connect to MySQL# Solution:sudo setsebool -P httpd_can_network_connect_db 1
# Issue: Can't use non-standard port# Symptom: Service won't start on port 81# Solution:sudo semanage port -a -t http_port_t -p tcp 81
# Issue: FTP can't access home directory# Solution:sudo setsebool -P ftp_home_dir 1
# Issue: SSH can't connect# Solution:sudo setsebool -P ssh_sysadm_login 1Debugging SELinux
Section titled “Debugging SELinux”# Check for denials in logssudo tail -f /var/log/audit/audit.log | grep denied
# Use sealert for analysissudo sealert -a /var/log/audit/audit.log
# Set permissive for specific typesudo semodule - permissive -a httpd_t
# Get detailed denial infosudo ausearch -m AVC -ts recent
# Generate custom policy modulesudo audit2allow -w -asudo audit2allow -M mymodule -asudo semodule -i mymodule.pp31.8 SELinux Policy Management
Section titled “31.8 SELinux Policy Management”Modules
Section titled “Modules”# List modulessemodule -l
# Install modulesudo semodule -i module.pp
# Remove modulesudo semodule -r module_name
# Enable/disable modulesemodule -d module_namesemodule -e module_name31.9 AppArmor
Section titled “31.9 AppArmor”Introduction to AppArmor
Section titled “Introduction to AppArmor”# AppArmor is Debian/Ubuntu default# Uses profile-based security
# Check statussudo aa-statussudo apparmor_status
# AppArmor modes# enforce - Enforce the profile# complain - Log violations but allow# unconfined - No profile31.10 AppArmor Profiles
Section titled “31.10 AppArmor Profiles”Profile Structure
Section titled “Profile Structure”#include <tunables/global>
/usr/sbin/nginx { # Include abstractions # - Common program requirements # - File access patterns # - Network access #include <abstractions/apache2-common> #include <abstractions/base> #include <abstractions/nameservice>
# Capability rules # - Linux capabilities capability net_bind_service, capability setuid,
# File rules # Allow read access /etc/nginx/** r, /var/log/nginx/** rw,
# Deny rules deny /etc/shadow r,
# Network rules network inet stream, network inet dgram,
# Run as # - May be run as specified user}Creating Custom Profile
Section titled “Creating Custom Profile”# 1. Generate profile templatesudo aa-autodep nginx
# 2. Set to complain modesudo aa-complain nginx
# 3. Exercise the application# Use the application normally
# 4. Review log for violationssudo dmesg | grep apparmorsudo tail -f /var/log/syslog | grep apparmor
# 5. Load changes to profilesudo aa-logprof
# 6. Set to enforce modesudo aa-enforce nginx31.11 AppArmor Commands
Section titled “31.11 AppArmor Commands”Managing Profiles
Section titled “Managing Profiles”# List profilessudo aa-status --enabled
# Show profile detailssudo aa-status
# Enforce modesudo aa-enforce /etc/apparmor.d/profile.namesudo aa-enforce *
# Complain modesudo aa-complain /etc/apparmor.d/profile.namesudo aa-complain *
# Disable profilesudo aa-disable /etc/apparmor.d/profile.name
# Reload all profilessudo systemctl reload apparmor
# Add profilesudo apparmor_parser -r /etc/apparmor.d/profile.nameProfile Utilities
Section titled “Profile Utilities”# Generate profile automaticallysudo aa-autodep program_name
# Learn from application usesudo aa-logprof
# Merge changessudo aa-mergeprof
# Test profile syntaxsudo apparmor_parser -T /etc/apparmor.d/profile.name31.12 AppArmor vs SELinux Comparison
Section titled “31.12 AppArmor vs SELinux Comparison” SELinux vs AppArmor+------------------------------------------------------------------+| || SELinux AppArmor || +----------+ +----------+ || | Complex | | Simpler | || +----------+ +----------+ || | Default | | Default | || | on RHEL | | on Ubuntu| || +----------+ | /Debian | || | MLS/MCS | +----------+ || | support | | Path-based| || +----------+ +----------+ || || Pros: Pros: || +----------+ +----------+ || | More | | Easier | || | granular| | to learn | || | control | +----------+ || +----------+ | Intuitive| || | MLS/MCS | | path-based || | support | +----------+ || +----------+ || |Enterprise| || | distros | || +----------+ || || Cons: Cons: || +----------+ +----------+ || | Steep | | Less | || | learning| | granular | || | curve | +----------+ || +----------+ | Limited | || | Complex | | MLS | || | config | | support | || +----------+ +----------+ || |+------------------------------------------------------------------+Comparison
Section titled “Comparison”# SELinux# Pros:# - More granular control# - MLS/MCS support# - Default on enterprise distros
# Cons:# - Steep learning curve# - Complex configuration# - Can be overwhelming
# AppArmor# Pros:# - Easier to learn# - Path-based (intuitive)# - Good for desktop apps
# Cons:# - Less granular than SELinux# - Limited MLS support31.13 Security Hardening Checklist
Section titled “31.13 Security Hardening Checklist”SELinux Hardening
Section titled “SELinux Hardening”# 1. Set to enforcingSELINUX=enforcing
# 2. Use targeted policySELINUXTYPE=targeted
# 3. Don't disable booleans unnecessarily# 4. Regular auditssudo ausearch -m AVC -ts recent
# 5. Monitor denied operationssudo sealert -a /var/log/audit/audit.logAppArmor Hardening
Section titled “AppArmor Hardening”# 1. Enable all enforce profilessudo aa-enforce /etc/apparmor.d/*
# 2. Create restrictive profiles# 3. Regular profile updatessudo aa-logprof
# 4. Monitor denialssudo dmesg | grep apparmorGeneral Security
Section titled “General Security”# 1. Keep system updatedsudo pacman -Syu
# 2. Firewallsudo firewall-cmd --permanent --add-service=sshsudo firewall-cmd --reload
# 3. Fail2bansudo systemctl enable --now fail2ban
# 4. Audit loggingsudo auditctl -w /etc/passwd -p wa -k passwd_modifysudo auditctl -w /etc/shadow -p wa -k shadow_modifySummary
Section titled “Summary”In this chapter, you learned:
- ✅ SELinux fundamentals and concepts
- ✅ SELinux modes (Enforcing, Permissive, Disabled)
- ✅ Security contexts and types
- ✅ SELinux booleans and management
- ✅ SELinux user mapping
- ✅ Port management in SELinux
- ✅ Troubleshooting SELinux denials
- ✅ AppArmor profiles and structure
- ✅ Creating AppArmor profiles
- ✅ SELinux vs AppArmor comparison
- ✅ Security hardening best practices
Next Chapter
Section titled “Next Chapter”Chapter 32: Firewalls and Network Security
Last Updated: February 2026