SELinux and AppArmor

They both are security related technologies classified as MAC - Mandatory Access Control. SELinux was created by NSA - National Security Agency, while AppArmor become popular after it has adopted by Ubuntu Linux.

The main idea here is to create mechanisms to extend the basic permission schema based on ugo/rwx. Among other things, they offer the ability to restrict access by system process to files, directories, network ports, etc.

AppArmor offers an autolearn mode, which is capable to know how a system should operate, while SELinux brings an enforcing mode by default since CentOS 6.

SELinux

SELinux stands for Security Enhanced Linux and it can operate in two modes:

• enforcing: SELinux will deny access based on its policy rules, a set of guidelines that control its engine.
• permissive: SELinux won't deny access, but denials will be logged for actions that would have been denied if running in enforcing mode.

You have the choice to completely disable SELinux, however, it is not recommended these days! It's better to learn how to take advantage of this excellent tool.

You can verify the current operation mode of SELInux using getenforce command, and you can change it by setenforce 0 - permissive mode - or setenforce 1 - enforcing mode. To persist this change across reboots you need to set the SELINUX variable in the /etc/selinux/config file.

To set SELINUX from or to disabled mode you will have to edit the above file and reboot your system.

As a common use case lets see how to change the SSH daemon port from 22 to 2222:

1. Make sure you have the policycoreutils-python package installed:

  yum install -y policycoreutils-python

1. Tell SELinux that port 2222 is allowed to be used by ssh process:

  # check all ports managed by SELinux
  selinux port -l

  # Customize ssh to run on port 2222/tcp
  semanage port -a -t ssh_port_t -p tcp 2222

  # check all customized ports managed by SELinux
  semanage -lC

Another common scenario is to change the default allowed DocumentRoot folder to be used by a web server. Lets add the /srv/www to the list of the allowed directories:

semanage fcontext -a -t httpd_sys_content_t "/srv/www(/.*)?"

The above command will grant apache read-only access to that directory and its contents.

Finally, to apply the pilicy, making the label change effective immediately):

restorecon -R -v /srv/www

If things are still not working as expected you can look for AVC string in /var/log/audit/audit.log file.

You can get more help at SELinux Official Documentation.

AppArmor

AppArmor uses profiles defined in text files instead of policy managed by commands. There are several of them provided out of the box. These profiles are available at /etc/apparmod.d.

You can check the AppArmor current status by running:

apparmor_status

To switch a profile between complain and enforce modes, like smbd profile, we can run:

aa-complain /etc/apparmor.d/usr.sbin.smbd
aa-enforce  /etc/apparmor.d/usr.sbin.smbd

The above commands also accept bash wildcards to change multiple profiles at once.

To entirely disable a profile, we just have to create a link to its file at /etc/apparmor.d/disable/ directory, like so:

sudo ln -s /etc/apparmor.d/usr.sbin.mysqld /etc/apparmor.d/disable/

You can get more information for AppArmor in Ubuntu AppArmor Community Documentation.