SELinux (Security-Enhanced Linux) and AppArmor (Application Armor) are Linux kernel security modules that implement Mandatory Access Control (MAC). While standard Linux permissions (Discretionary Access Control) rely on user ownership, MAC systems utilize granular policies to restrict what specific…SELinux (Security-Enhanced Linux) and AppArmor (Application Armor) are Linux kernel security modules that implement Mandatory Access Control (MAC). While standard Linux permissions (Discretionary Access Control) rely on user ownership, MAC systems utilize granular policies to restrict what specific applications or processes can do, adhering to the principle of least privilege.
SELinux, developed with the NSA and default on Red Hat-based distributions (RHEL, Fedora), operates on a 'labeling' system. Every file, process, and port has a security context (label). Policies define rules for how a labeled process interacts with a labeled object. It operates in three specific modes: Enforcing (blocks and logs violations), Permissive (logs violations only), and Disabled. Key commands for the exam include 'getenforce', 'sestatus', 'ls -Z' (to see labels), and 'restorecon'.
AppArmor, default on Debian and Ubuntu, uses a 'path-based' approach. It binds security profiles to executable file paths. These profiles are human-readable text files stored in /etc/apparmor.d/ that define exactly what files a program can read, write, or execute. AppArmor modes include Enforce (blocks violations) and Complain (logs violations for debugging). Key commands include 'aa-status', 'aa-genprof', and 'aa-complain'.
In a CompTIA context, the primary distinction is the mechanism: SELinux uses inode labels and is considered more complex but robust, whereas AppArmor uses file paths, making it easier to configure and manage.
CompTIA Linux+ Guide: SELinux and AppArmor Security Controls
Why It Is Important In the Linux environment, standard file permissions (rwx) constitute Discretionary Access Control (DAC). While useful, DAC has a flaw: if a user or process has permission to a file, they can do whatever they want with it. If a service running as root is compromised, the attacker gains root access to the entire system.
To mitigate this, CompTIA Linux+ emphasizes Mandatory Access Control (MAC). MAC systems—specifically SELinux and AppArmor—enforce kernel-level security policies that restrict applications to only the resources they need to function. Even if an attacker compromises a web server, MAC prevents that server process from reading the shadow file or accessing the home directories.
What is SELinux? SELinux (Security-Enhanced Linux) is the MAC system primarily used by the Red Hat family (RHEL, Fedora, CentOS). It relies on contexts (labels) applied to files, processes, and ports.
How SELinux Works SELinux assigns a label to every object in the format user:role:type:level. The most important part for the exam is the Type (usually ending in _t, such as httpd_t). The kernel checks the policy to see if the source type (the process) is allowed to access the target type (the file).
SELinux Modes: 1. Enforcing: The policy is active. Violations are blocked and logged. 2. Permissive: The policy is active. Violations are not blocked but represent "would be" denials, logged for debugging. 3. Disabled: The SELinux infrastructure is not loaded.
Key SELinux Commands: getenforce: Displays the current mode. setenforce [0|1]: Toggles between Permissive (0) and Enforcing (1) at runtime. ls -Z: Lists files with their security contexts. ps -Z: Lists processes with their security contexts. chcon: Temporarily changes a file context (lost upon relabeling). restorecon: Resets a file's context to the default policy (permanent fix). getsebool / setsebool: Manages SELinux boolean toggles (feature switches).
What is AppArmor? AppArmor (Application Armor) is the MAC system primarily used by the Debian family (Ubuntu, SUSE). It uses profiles loaded into the kernel. It is generally considered easier to configure than SELinux because it is path-based rather than label-based.
How AppArmor Works Profiles are stored in /etc/apparmor.d/. Each profile corresponds to an executable path (e.g., /usr/sbin/nginx) and defines exactly which files that executable can read, write, or execute.
AppArmor Modes: 1. Enforcement: Profiles are enforced; violations are blocked and logged. 2. Complain: Profiles are learning; violations are allowed but logged.
Key AppArmor Commands: aa-status: Shows the current status of loaded profiles. aa-complain: Sets a specific profile to complain mode. aa-enforce: Sets a specific profile to enforcement mode. aa-unconfined: Lists processes running without an AppArmor profile.
Exam Tips: Answering Questions on SELinux and AppArmor
1. Identify the Distro If the question mentions CentOS, RHEL, or Fedora, the answer usually involves SELinux. If it mentions Ubuntu, Debian, or SUSE, look for AppArmor.
2. Context vs. Path If the question discusses "label mismatches," "contexts," or "_t", it is SELinux. If the question discusses absolute file paths in a configuration file, it is AppArmor.
3. Troubleshooting Access Denials Do not disable security entirely. For SELinux: Switch to Permissive mode using setenforce 0 to see if the issue is a policy violation. Check /var/log/audit/audit.log. For AppArmor: Switch the profile to Complain mode via aa-complain. Check /var/log/syslog or /var/log/kern.log.
4. The "mv" vs "cp" Trap In SELinux, if you move (mv) a file, it retains its original source label (which might be wrong for the new location). If you copy (cp) a file, it inherits the label of the destination directory. To fix a moved file, you must run restorecon.