Standard Linux permissions are flexible but not foolproof. Kernel Security Modules like SELinux and AppArmor enforce mandatory access control, locking systems down to prevent even privileged processes from doing harm.
Linux Kernel Security Modules: Hardening Your System
Linux security relies on Discretionary Access Control (DAC), which allows users to modify permissions on their own files. However, in security-critical environments, we need Mandatory Access Control (MAC). Linux Kernel Security Modules (LSMs) like SELinux and AppArmor provide this capability.
Understanding SELinux
SELinux operates on the principle of "default deny" – if a permission isn't explicitly granted, it's denied. This requires careful configuration but provides exceptional security.
SELinux Concepts
Contexts: Every file, process, and port has a security context. Let's check them:
# View file contexts
ls -Z /etc/passwd
# Output: system_u:object_r:etc_t:s0 /etc/passwd
# View process contexts
ps -eZ | grep httpd
# system_u:system_r:httpd_t:s0 apache 1234
# View port contexts
semanage port -l | grep http
# http_port_t tcp 80, 8008, 8080, 8888Policies: SELinux policies define what subjects (users/processes) can do to objects (files/ports). Policies are written in a domain-specific language:
# Allow nginx to read web content
allow httpd_t var_www_t:file read;
# Allow SELinux to use network sockets
allow init_t port_t:tcp_socket name_bind;Modes: SELinux can run in three modes:
# Check current mode
getenforce
# output: Enforcing
# Temporarily set to permissive (logs violations without blocking)
setenforce 0
# Permanently change via /etc/selinux/config
SELINUX=enforcing
SELINUXTYPE=targetedWorking with SELinux
When an application is denied access, the denial is logged. You can generate policies from these denials:
# View recent denials
tail -f /var/log/audit/audit.log | grep AVC
# Use audit2why to understand denials
audit2why -a
# output: type=AVC msg=audit(...): avc: denied { read }
# for pid=1234 comm="httpd" ...
# Missing type enforcement allow rule.
# Generate suggested policy
audit2allow -a -M httpd_web
semodule -i httpd_web.ppAppArmor: An Alternative Approach
AppArmor is more straightforward than SELinux and is the default on Ubuntu systems. Instead of security contexts, AppArmor uses file path-based rules:
# /etc/apparmor.d/usr.bin.myapp
#include <tunables/global>
/usr/bin/myapp {
#include <abstractions/base>
#include <abstractions/nameservice>
/usr/bin/myapp mr, # read and execute
/etc/myapp/config.conf r, # read
/var/log/myapp.log w, # write
/tmp/ rw, # read and write
/proc/*/stat r, # read proc files
# Capability restrictions
capability setuid,
capability dac_override,
# Deny rules
deny /etc/shadow r,
deny /root/** rw,
}Load and enforce profiles:
# Load a profile
apparmor_parser -r /etc/apparmor.d/usr.bin.myapp
# Check profile status
aa-status | grep myapp
# Temporarily set to complain mode (logging without enforcement)
aa-complain /usr/bin/myapp
# Enforce it
aa-enforce /usr/bin/myapp
# Generate profile from denials
aa-logprofPractical Hardening Steps
Step 1: Inventory Your Services
# List all active security modules
cat /sys/kernel/security/modules
# Check which LSM is active
cat /sys/kernel/security/lsmStep 2: Enable and Configure SELinux
# Install SELinux tools
sudo yum install selinux-policy selinux-policy-devel setroubleshoot
# Set to enforcing (do this after testing in permissive)
sudo sed -i 's/^SELINUX=.*/SELINUX=enforcing/' /etc/selinux/config
# Relabel filesystem (this takes time!)
sudo touch /.autorelabel
sudo rebootStep 3: Monitor and Audit
# Real-time monitoring
sudo tail -f /var/log/audit/audit.log | grep AVC | grep denied
# Generate reports
ausearch -m AVC -ts recent | head -20Caution: Before enabling SELinux or AppArmor in enforcing mode on a production system, test thoroughly in permissive/complain mode to understand legitimate denials.
Performance Considerations
LSMs add overhead, but it's typically minimal (< 5% in most scenarios). The security benefits vastly outweigh the performance impact.
Conclusion
Linux Kernel Security Modules are powerful tools for hardening your systems. Start with AppArmor if you're new to mandatory access control – it's more forgiving for learning. Transition to SELinux for environments requiring stronger, context-based security. Always test policies in permissive/complain mode before enforcing them in production.
Have questions about implementing SELinux or AppArmor? I'm always happy to talk shop — reach out or connect with me on LinkedIn.