Linux - SELinux and AppArmor Security Frameworks

SELinux (Security-Enhanced Linux) and AppArmor are advanced security frameworks designed to strengthen Linux systems by enforcing strict access control policies. Unlike the traditional Linux permission model, which primarily relies on user, group, and file permissions, these frameworks implement Mandatory Access Control (MAC). This means that even if a user or application has sufficient traditional permissions, the security framework can still prevent unauthorized actions based on predefined policies. Both SELinux and AppArmor significantly reduce the risk of malware, accidental system modifications, and privilege escalation attacks.

Understanding Mandatory Access Control (MAC)

Linux normally uses Discretionary Access Control (DAC), where the owner of a file determines who can access it. While DAC is flexible, it has limitations. If an attacker compromises a privileged account or exploits a vulnerable application, they may gain extensive access to system resources.

Mandatory Access Control introduces an additional layer of protection. Under MAC:

  • Security policies are defined by the system administrator.

  • Applications can only perform actions explicitly permitted by these policies.

  • Even the root user is subject to certain security restrictions.

  • Unauthorized actions are denied regardless of file ownership or standard permissions.

This approach minimizes damage caused by software vulnerabilities and insider threats.

What is SELinux?

Security-Enhanced Linux (SELinux) is a security module integrated into the Linux kernel. Originally developed by the United States National Security Agency (NSA), it provides a highly granular access control system based on security contexts and policies.

SELinux assigns labels to:

  • Files

  • Directories

  • Processes

  • Users

  • Ports

  • Devices

Every interaction between these objects is checked against the loaded security policy before permission is granted.

How SELinux Works

Each object in the system has a security context containing information such as:

  • User

  • Role

  • Type

  • Security level

For example:

system_u:object_r:httpd_sys_content_t:s0

A running web server process also has its own context.

When the web server attempts to read a file, SELinux checks:

  • The process label

  • The file label

  • The security policy

If the policy allows the interaction, access is granted.

Otherwise, access is denied even if traditional Linux permissions would have allowed it.

SELinux Operating Modes

SELinux operates in three different modes.

Enforcing Mode

This is the most secure mode.

Characteristics:

  • Security policies are actively enforced.

  • Unauthorized actions are blocked.

  • Violations are recorded in audit logs.

Example:

A web server tries to access a user's home directory.

Without SELinux:

Access Allowed

With SELinux:

Access Denied

because the policy prohibits this operation.

Permissive Mode

Policies are not enforced.

Characteristics:

  • Violations are logged.

  • Applications continue functioning.

  • Useful for troubleshooting and testing.

Administrators commonly use permissive mode before deploying enforcing mode.

Disabled Mode

SELinux is completely inactive.

Characteristics:

  • No policy enforcement.

  • No security labeling.

  • No SELinux protection.

Disabling SELinux is generally discouraged because it removes an important layer of system security.

SELinux Policies

Policies define which operations are permitted.

Common policy types include:

Targeted Policy

The most widely used policy.

Only selected network-facing services are protected.

Examples include:

  • Apache

  • SSH

  • DNS

  • FTP

  • Mail servers

MLS (Multi-Level Security)

Designed for environments requiring strict data classification.

Examples:

  • Military systems

  • Government organizations

  • Intelligence agencies

It supports multiple security levels and categories.

Minimum Policy

Provides protection for only a small set of services.

Useful in lightweight or customized installations.

SELinux Contexts

Each file has a security label.

Administrators can view contexts using:

ls -Z

Example:

-rw-r--r-- root root system_u:object_r:httpd_sys_content_t:s0 index.html

The important part is:

httpd_sys_content_t

This indicates the file is intended for use by the Apache web server.

If a file has the wrong label, the application may be denied access even if file permissions appear correct.

Common SELinux Management Commands

Check current status:

getenforce

Display complete status:

sestatus

Temporarily switch to permissive mode:

setenforce 0

Return to enforcing mode:

setenforce 1

Restore default security labels:

restorecon -Rv /var/www/html

View security contexts:

ls -Z

Advantages of SELinux

SELinux offers several benefits:

  • Strong protection against unauthorized access.

  • Limits the impact of compromised applications.

  • Prevents privilege escalation attacks.

  • Protects critical system services.

  • Provides detailed security auditing.

  • Highly customizable security policies.

  • Suitable for enterprise and government systems.

Limitations of SELinux

Some challenges include:

  • Steep learning curve.

  • Complex policy management.

  • Initial configuration can be difficult.

  • Incorrect policies may block legitimate applications.

  • Troubleshooting requires understanding security contexts.

What is AppArmor?

AppArmor is another Linux security framework that provides Mandatory Access Control.

Unlike SELinux, which uses security labels, AppArmor works by assigning security profiles directly to application paths.

Each application has a profile specifying:

  • Accessible files

  • Allowed directories

  • Network permissions

  • Process capabilities

  • Executable programs

If an application attempts an unauthorized action, AppArmor blocks it.

How AppArmor Works

Suppose an application is allowed access only to:

/var/www/

If it attempts to access:

/etc/shadow

AppArmor immediately blocks the request.

This restriction remains effective even if the application is compromised by an attacker.

AppArmor Modes

Enforce Mode

Rules are fully enforced.

Unauthorized actions are denied.

Complain Mode

Actions are allowed but logged.

Useful for developing or testing profiles.

Disable Mode

The profile is inactive.

No restrictions are applied.

AppArmor Profiles

Profiles are simple text files.

Example:

/usr/bin/nginx

The profile may specify:

  • Read access to website files.

  • Write access to log files.

  • Permission to bind to network ports.

  • Denial of access to sensitive system files.

This keeps applications confined to only the resources they need.

Common AppArmor Commands

Check profile status:

aa-status

Enable a profile:

aa-enforce profile_name

Switch to complain mode:

aa-complain profile_name

Disable a profile:

aa-disable profile_name

Advantages of AppArmor

AppArmor provides several benefits:

  • Easier to configure than SELinux.

  • Human-readable profiles.

  • Simpler troubleshooting.

  • Lightweight implementation.

  • Effective application isolation.

  • Good integration with Ubuntu and SUSE Linux.

Limitations of AppArmor

Some drawbacks include:

  • Less granular than SELinux.

  • Path-based protection can be affected if files are moved or renamed.

  • Fewer advanced policy features.

  • Not as flexible for highly secure enterprise environments.

SELinux vs AppArmor

Feature SELinux AppArmor
Security Model Label-based Path-based
Complexity High Moderate
Learning Curve Steep Easier
Policy Management More detailed Simpler
Performance Impact Very low Very low
Security Granularity Very high Moderate
Enterprise Adoption High Moderate
Default Distribution Support Red Hat, CentOS, Fedora Ubuntu, SUSE

Best Practices

To effectively use SELinux or AppArmor:

  • Keep the security framework enabled instead of disabling it.

  • Regularly review audit logs to identify policy violations.

  • Apply the principle of least privilege by granting only necessary permissions.

  • Use enforcing mode in production environments after thorough testing.

  • Keep security policies updated alongside system updates.

  • Test new applications in permissive or complain mode before deployment.

  • Restore correct security labels or profiles after file modifications or migrations.

  • Document custom security policies to simplify maintenance and troubleshooting.

Conclusion

SELinux and AppArmor are powerful security frameworks that enhance Linux system protection by enforcing Mandatory Access Control. While both aim to restrict applications to only the resources they require, they differ in implementation. SELinux uses label-based security with highly granular policies, making it ideal for enterprise and high-security environments. AppArmor relies on simpler path-based profiles, offering easier configuration and management for general-purpose systems. Choosing between them depends on the organization's security requirements, administrative expertise, and the Linux distribution in use. When properly configured, either framework significantly strengthens the overall security posture of a Linux system.