SELinux & AppArmor
Mandatory Access Control (MAC), security policies, and label-based enforcement in Linux
SELinux & AppArmor
Discretionary Access Control (DAC) the standard Unix permission model where owners control their own resources is flexible but fundamentally limited. When a vulnerability in a web server allows an attacker to execute arbitrary code, that code runs with all the privileges of the web server process. If the web server can read /etc/shadow, so can the attacker. This is the problem Mandatory Access Control (MAC) systems address.
SELinux and AppArmor implement MAC in Linux. Instead of allowing processes to control access to their own resources, a centralized policy defines what access is permitted. Even if a web server process is compromised, the security policy can prevent it from reading sensitive files, opening network connections to unexpected destinations, or executing programs. The policy restrictions are independent of what the process owner wants.
These systems represent different approaches to the same problem. SELinux uses label-based enforcement with flexible policies written in a custom language. AppArmor uses path-based profiles that are often simpler to write and understand. Both can dramatically improve security posture, but both require significant understanding to deploy effectively.
Overview
Mandatory Access Control represents a fundamental shift in security philosophy. Under DAC, access control is discretionary because resource owners decide who can access their resources. Under MAC, the operating system enforces access control according to a global policy that users cannot modify. Even root processes are constrained by this policy.
SELinux (Security-Enhanced Linux) was originally developed by the NSA with academic collaborators. It implements MAC through Security Contexts (labels) attached to every process and file. These contexts contain User, Role, Type, and Level components. Policy rules define which contexts can access which other contexts. The type component (in Type Enforcement) is the most commonly used for restricting processes.
AppArmor (Application Armor) takes a different approach. Instead of labels, AppArmor profiles specify allowed access based on file paths. A profile might declare that the program /usr/sbin/nginx can read files in /var/log/nginx/ and bind to TCP ports 80 and 443. Any other access is denied. Path-based profiles are intuitive because they match how people think about file permissions.
The distinction between these systems and standard permissions is crucial. A misconfigured chmod 777 affects only that specific file or directory. An SELinux or AppArmor policy violation is blocked regardless of traditional Unix permissions. Even if a file is world-readable, SELinux can prevent a web server process from reading it.
When to Use / When Not to Use
MAC systems are essential for servers handling untrusted workloads, multi-tenant environments, and compliance-sensitive applications. Government systems, financial services, and healthcare applications often require MAC frameworks for regulatory compliance.
These systems shine when you need defense in depth beyond standard permissions. If your web server gets compromised, MAC can limit what the attacker can do. If your database server is misconfigured, MAC can prevent unauthorized access to sensitive files. The policy provides a safety net that catches mistakes that standard permissions would miss.
However, MAC systems add complexity. Writing and debugging policies requires understanding the system and the workload. False positives can block legitimate operations; false negatives can create security gaps. For simple single-purpose systems where the threat model is well-understood, the overhead may not justify the benefits.
Architecture or Flow Diagram
graph TD
A[Process Makes Request] --> B{SELinux or AppArmor Active?}
subgraph SELinux Flow
B -->|SELinux| C[Get Process Context]
C --> D[Get Object Context]
D --> E{Evaluate Policy Rules}
E -->|Allow| F[Grant Access]
E -->|Deny| G[Log Violation<br/>Return EPERM]
end
subgraph AppArmor Flow
B -->|AppArmor| H[Find Profile for Program]
H --> I[Load Profile Rules]
I --> J{Compare Path + Permissions}
J -->|Allow| F
J -->|Deny| K[Log Violation<br/>Return EPERM]
end
style G stroke:#ff6b6b
style K stroke:#ff6b6bThe diagram shows how SELinux and AppArmor handle access requests differently. SELinux evaluates contexts attached to the process and target object against policy rules. AppArmor finds the profile associated with the program being executed and checks if the requested path and permission match the profile rules.
Core Concepts
SELinux Labels and Contexts
Every process and file in SELinux has a security context (label) attached. The context is displayed as four components:
user:role:type:levelUser maps Linux accounts to SELinux users. Role provides role-based access control within SELinux. Type (in Type Enforcement, the most common mode) defines what the process can access. Level (for MLS/MCS systems) provides hierarchical sensitivity levels.
A typical Apache process running in an SELinux-targeted policy environment has context:
system_u:system_r:httpd_t:s0Files in /var/www/html might have context:
system_u:object_r:httpd_sys_content_t:s0The policy defines that httpd_t processes can read files labeled with httpd_sys_content_t.
SELinux Policy Modes
SELinux operates in three modes:
Enforcing: Policy violations are blocked and logged. This is the production mode.
Permissive: Policy violations are logged but not blocked. Useful for developing and testing policies before enforcement.
Disabled: SELinux is completely off. Not recommended as it requires a reboot to re-enable cleanly.
# Check current mode
getenforce
# Set mode (requires root)
setenforce Enforcing
setenforce Permissive
# Check detailed status
sestatus
# Persistent configuration in /etc/selinux/configAppArmor Profiles
AppArmor profiles are simpler than SELinux policies. Each profile corresponds to a program and specifies allowed file access, capabilities, and network access.
# Profile for /usr/sbin/nginx
/usr/sbin/nginx {
# Include base abstractions
include <abstractions/base>
include <abstractions/nameservice>
# Allow read access to web content
/var/www/** r,
# Allow read access to log files
/var/log/nginx/** r,
# Allow binding to network ports
network inet stream,
# Allow executing CGI scripts
/usr/lib/nginx/** ix,
}Profiles use path specifications with permissions:
r- readw- writex- executek- lock filel- link*- any access
The ix transition permission means execute but inherit the current profile rather than switch to the executed file’s profile.
Production Failure Scenarios + Mitigations
Scenario: SELinux Blocks Legitimate Service Access
Problem: Service fails because SELinux policy prevents required file access or network operations.
Symptoms: Service fails to start, logs show “SELinux is preventing” messages, audit.log contains AVC denials.
Mitigation: Use audit2allow to generate policy modules for legitimate access patterns. First, confirm the access is legitimate by reviewing logs. Then generate and install a custom policy module. For temporary relief in development, set to permissive mode.
# Find SELinux denial messages
ausearch -m AVC -ts recent | head -20
# Generate policy module from denials
cat /var/log/audit/audit.log | audit2allow -m myapp > myapp.te
checkmodule -M -m -o myapp.mod myapp.te
semodule_package -o myapp.pp -m myapp.mod
semodule -i myapp.pp
# Temporary permissive mode for specific type
semanage permissive -a httpd_tScenario: AppArmor Prevents Application Access
Problem: Application fails with permission denied despite correct Unix permissions.
Symptoms: Application crashes, dmesg shows AppArmor denials, /var/log/syslog contains AppArmor messages.
Mitigation: Use aa-logprof to update profiles based on application behavior. Run the application in complain mode to generate logs without blocking. Update profiles accordingly.
# Put profile in complain mode (logs but allows)
aa-complain /etc/apparmor.d/usr/sbin.nginx
# After running application, update profile
aa-logprof
# Reload updated profile
apparmor_parser -r /etc/apparmor.d/usr/sbin.nginxScenario: Container Access Blocked by Host MAC Policy
Problem: Containerized application fails because host SELinux or AppArmor policy prevents container operations.
Symptoms: Container cannot bind to network port, cannot access mounted volume, operations fail inside container.
Mitigation: Set appropriate SELinux context on container volumes. Use chcon or semanage fcontext to set correct contexts. For AppArmor, ensure container runtime profile allows required access.
# Set SELinux context on volume mount
semanage fcontext -a -t httpd_sys_content_t '/var/www/html(/.*)?'
restorecon -Rv /var/www/html
# For containers, use :Z flag to relabel automatically
docker run -v /var/www/html:/var/www/html:Z nginxTrade-off Table
| Aspect | SELinux | AppArmor |
|---|---|---|
| Policy Type | Label-based (Type Enforcement) | Path-based |
| Complexity | High (custom policy language) | Lower (profile syntax) |
| Learning Curve | Steep | Moderate |
| Debugging | Tools like audit2allow, sesearch | aa-logprof, dmesg |
| Flexibility | Very high (MCS, MLS, RBAC) | Moderate |
| Default Distribution | RHEL, Fedora, CentOS | SUSE, Ubuntu |
| Container Support | Excellent (with libvirt) | Native Docker integration |
| SELinux Component | Purpose | Example |
|---|---|---|
| User | Maps Linux users to SELinux users | staff_u for regular users |
| Role | Role-based access control | system_r for system processes |
| Type | Process/domain restrictions | httpd_t for web server |
| Level | Multi-level security (MLS) | s0 to s15:c0.c1023 |
| AppArmor Permission | Meaning |
|---|---|
r | Read |
w | Write (but not create/delete) |
a | Append |
x | Execute (own profile) |
ix | Execute (inherit current profile) |
px | Execute (own profile, with environment) |
ux | Execute (unconfined, dangerous) |
m | Execute as a mapped file |
Implementation Snippets
Checking SELinux Status and Context
#!/bin/bash
# Check SELinux status
echo "=== SELinux Status ==="
sestatus
echo ""
echo "=== Current Process Context ==="
id -Z
echo ""
echo "=== SELinux Context of Files ==="
ls -Z /etc/passwd /etc/shadow
echo ""
echo "=== SELinux Context of Running Services ==="
ps auxZ | grep httpd | head -3Creating a Simple SELinux Policy Module
# Step 1: Enable SELinux audit logging
ausearch -m AVC -ts recent > avc_logins
# Step 2: Generate policy module
cat avc_logins | audit2allow -M myapp_policy
# Step 3: Review generated policy
cat myapp_policy.te
# Step 4: Compile and install
checkmodule -M -m -o myapp_policy.mod myapp_policy.te
semodule_package -o myapp_policy.pp -m myapp_policy.mod
semodule -i myapp_policy.pp
# Step 5: Verify module loaded
semodule -l | grep myapp_policyAppArmor Profile for Python Application
# /etc/apparmor.d/usr/local/bin/myapp
/usr/local/bin/myapp {
include <abstractions/base>
# Allow reading configuration
/etc/myapp/** r,
# Allow reading and writing data
/var/lib/myapp/** rw,
# Allow log files
/var/log/myapp/** rw,
/var/log/myapp/*.log a,
# Network access
network inet stream,
network inet dgram,
# Allow tmp files
/tmp/** rw,
}Reloading AppArmor Profiles
#!/bin/bash
# Parse and reload all profiles
apparmor_parser -r /etc/apparmor.d/*
# Reload specific profile
apparmor_parser -r /etc/apparmor.d/usr.bin.nginx
# List loaded profiles
apparmor_status | grep profiles
# View profile violations in dmesg
dmesg | grep apparmorObservability Checklist
SELinux Monitoring:
- Enable
auditdto capture AVC (Access Vector Cache) denials - Monitor
/var/log/audit/audit.logfor violations - Track
sestatusoutput for policy state changes - Alert on permissive domain usage
AppArmor Monitoring:
- Check
dmesgfor DENIED messages - Use
aa-notifyfor desktop notifications - Monitor
/var/log/syslogfor AppArmor events - Track profile changes
Compliance Checks:
- Verify mode is Enforcing in production
- Confirm policy modules are loaded
- Check for unexpected permissive domains
- Validate container MAC configuration
Log Analysis:
# SELinux AVC denials in last hour
ausearch -m AVC -ts one hour | tail -30
# AppArmor denied operations
grep DENIED /var/log/syslog | tail -20
# Set up real-time alerting
ausearch -m AVC | tail -5 | while read line; do
echo "$line" | mail -s "SELinux denial" admin@example.com
doneSecurity/Compliance Notes
Regulatory Requirements: Many compliance frameworks (FedRAMP, PCI-DSS, HIPAA) require MAC implementation for sensitive systems. SELinux provides comprehensive controls that satisfy these requirements when properly configured.
Defense in Depth: MAC provides a critical layer beyond standard permissions. Even if an attacker gains code execution, MAC policies can prevent lateral movement, data exfiltration, and privilege escalation.
Container Security: MAC systems extend container isolation. SELinux can label container processes and files, preventing container escapes from affecting host resources. AppArmor profiles restrict container capabilities to minimum required.
Policy Hardening: Default policies are often overly permissive for specific workloads. Audit your running services and tighten policies to the minimum required access. Use permissive mode during development to identify required access, then enforce in production.
Common Pitfalls / Anti-patterns
Setting Entire Domain to Permissive: Putting a large domain like httpd_t in permissive mode defeats the purpose of SELinux for all web server processes. Use targeted policy (the default) which keeps enforcing mode for system services while allowing per-domain permissive if needed.
Ignoring Audit Logs: AVC denials that are never addressed indicate policy gaps. Legitimate operations may be blocked, or policy misconfigurations may go undetected. Review and address denial patterns regularly.
Overly Permissive AppArmor Profiles: Profiles that allow /** rwm (read write mount on everything) provide no real security. Start restrictive and add only required exceptions.
Disabling MAC Entirely: When troubleshooting, disabling SELinux or AppArmor entirely creates security gaps and requires reboot to restore. Use permissive mode or complain mode instead.
Not Testing Policy Changes: New policies may have unintended effects on other services. Test in staging with the same workload profile before deploying policy changes to production.
Quick Recap Checklist
- MAC systems enforce centralized security policies independent of owner discretion
- SELinux uses label-based enforcement with User, Role, Type, Level contexts
- AppArmor uses path-based profile enforcement
- Both prevent compromised processes from accessing unauthorized resources
- SELinux is more powerful but has a steeper learning curve
- AppArmor is simpler but less flexible
- Policy development requires understanding the workload
- Production deployment requires comprehensive testing
- Monitoring and logging essential for policy maintenance
- Container MAC configuration extends host security to containers
Interview Questions
SELinux uses label-based enforcement with security contexts (User, Role, Type, Level) attached to every process and file. Policy rules govern which contexts can access which other contexts. AppArmor uses path-based profiles that specify allowed access by file paths for specific programs. SELinux is more flexible and powerful but has a steeper learning curve; AppArmor is simpler and more intuitive but less flexible.
Type Enforcement is the most commonly used SELinux security model. Every process has a type (domain) like httpd_t for web servers. Every file has a type like httpd_sys_content_t for web content. The policy states that httpd_t processes can read files labeled httpd_sys_content_t. If a compromised web server tries to access a file with a different label, SELinux blocks it even if Unix permissions allow the access.
Enforcing blocks policy violations and logs them, used in production. Permissive logs violations but does not block them, used for developing and testing policies. Disabled turns SELinux off entirely but requires a reboot to re-enable cleanly. Never use Disabled in production; use Permissive for policy development, then switch to Enforcing.
First, identify the denial in /var/log/audit/audit.log using ausearch -m AVC -ts recent. Confirm the access is legitimate by reviewing the context. Then use audit2allow to generate a custom policy module that permits the required access. Install with semodule -i. For temporary relief during development, set the specific type to permissive with semanage permissive -a httpd_t.
Discretionary Access Control (DAC) lets resource owners set permissions, so if a process is compromised, the attacker gains all the owner's permissions. Mandatory Access Control (MAC) enforces a centralized policy that even privileged processes must follow. A compromised web server under SELinux cannot read /etc/shadow even if running as root, because the policy does not allow httpd_t to access files labeled with the shadow_t type.
Type Enforcement (TE) is the most commonly used SELinux security model. It restricts access based on the type attribute of processes and files. A policy rule like allow httpd_t httpd_sys_content_t:file { read }; permits httpd processes (type httpd_t) to read files labeled with type httpd_sys_content_t. TE enforces a one-way access matrix based on types.
Multi-Level Security (MLS) adds hierarchical sensitivity levels (e.g., secret, top secret) and compartments. A process at "secret" level can read data at "secret" or below, but cannot read data at "top secret" unless explicitly permitted. MLS is used in government and military contexts where data classification is mandatory. Most SELinux deployments use only TE mode; MLS is optional and must be explicitly enabled.
First, collect AVC denial messages from /var/log/audit/audit.log using ausearch -m AVC -ts recent | audit2allow -M myapp. This generates a .te file (type enforcement file). Review the generated policy to ensure it only grants necessary permissions. Then compile it: checkmodule -M -m -o myapp.mod myapp.te. Package it: semodule_package -o myapp.pp -m myapp.mod. Install it: semodule -i myapp.pp. Verify with semodule -l | grep myapp. To remove: semodule -r myapp.
For complex applications, use apol (SELinux Policy Analysis Tool) to analyze policy rules and understand the full impact of your module before deployment.
SELinux contexts (labels) are four-component security labels (user:role:type:level) attached to every process and file. Standard Unix permissions (owner:group:other with rwx bits) operate independently — a file can be world-readable (mode 644) but have an SELinux context that prevents a specific process type from reading it. Conversely, a file with restrictive Unix permissions can be accessed by a process if SELinux policy permits it.
The key difference: SELinux is a MAC (Mandatory Access Control) system where the policy is enforced by the kernel regardless of the resource owner's wishes. DAC (standard Unix permissions) is discretionary — the owner decides. SELinux contexts add a second layer of access control that even root cannot bypass in enforcing mode.
semanage is used to manage SELinux policy configuration without directly modifying policy files. It handles: mapping Linux users to SELinux users (semanage user), managing SELinux roles, configuring file context mappings (semanage fcontext), setting network port contexts, and managing boolean toggles (semanage boolean). Changes made with semanage are persistent across reboots.
For example, semanage fcontext -a -t httpd_sys_content_t '/var/www/html(/.*)?' adds a file context rule so that files in /var/www/html are labeled with type httpd_sys_content_t automatically (use restorecon to apply to existing files).
AppArmor is generally considered easier to use because its path-based profile model is more intuitive than SELinux's label-based Type Enforcement. Profiles are written in a declarative syntax that specifies which files a program can access. Learning the syntax takes hours rather than days.
Debugging AppArmor is simpler: denied operations appear in dmesg and /var/log/syslog, and aa-logprof automatically generates profile updates from denial logs. For complex issues, apparmor_parser -d provides debug output. SELinux debugging requires understanding the policy language, using sesearch to find rules, audit2allow to generate modules, and getsebool/setsebool for booleans. AppArmor's approach is more accessible for operators without deep security background.
In enforce mode, AppArmor blocks operations that violate the profile and logs them. This is the production setting. In complain mode, AppArmor logs violations but does not block them — the program runs normally despite policy violations. Complain mode is used for developing and debugging new profiles: run the application, collect denial logs with aa-logprof, update the profile accordingly, then switch to enforce mode.
Commands: aa-complain /etc/apparmor.d/profilename sets complain mode; aa-enforce /etc/apparmor.d/profilename sets enforce mode. You can also use apparmor_parser -C to set complain on a specific profile.
Even with correct Unix permissions (owner, group, rwx bits), SELinux denials occur when: the process type lacks permission to access the file's type (e.g., httpd_t trying to read something not labeled httpd_sys_content_t or httpd_log_t); the process role is not permitted to access that type; network port contexts are wrong (a service binding to the wrong port type); or the SELinux user doesn't have the right role transition. Use ls -Z to check file contexts and ps auxZ to check process contexts. The denial message in audit.log shows both the source context (process) and target context (file/port) that failed.
SELinux booleans are tunable policy parameters that allow runtime toggling of specific permissions without recompiling the policy. They exist because some behaviors need to be enabled or disabled based on deployment needs (e.g., allowing HTTPD to send email, enabling NFS home directory access).
Commands: getsebool -a lists all booleans; semanage boolean --list shows them with descriptions; setsebool -P httpd_can_sendmail 1 enables HTTPD email sending persistently (-P for permanent). semanage boolean -l shows which are on/off with descriptions. Booleans are the primary way to configure SELinux for specific application needs without writing custom policy modules.
When running containers on a SELinux-enforcing host, container runtimes (Docker, podman) set default SELinux contexts for container processes. You can override with the --security-opt label=type:... flag when launching a container. For volume mounts, use the :Z or :z suffix on mount options — :Z relabels the mount exclusively for the container, while :z allows sharing across containers.
For Kubernetes Pods, the securityContext.seLinuxOptions field sets the container's SELinux context. Map container processes to appropriate SELinux types (e.g., container_t for general containers, specific types for privileged containers) and ensure volumes are labeled correctly with semanage fcontext before mounting.
systemd and SELinux interact at several points. systemd uses SELinux context transitions when starting services — a service runs initially in an initial context, and the service's exec transition setting in the policy determines what type it transitions to. The systemctl status output shows the SELinux context of running services.
SELinux also affects systemd's handling of failing services: in enforcing mode, a service that is denied required access will fail to start or behave incorrectly. Understanding the interaction is important for debugging services that fail with cryptic errors — check journalctl --selinux for SELinux-specific denial messages, and semanage permissive -l to check if a service domain is in permissive mode (which would allow operations that should be denied).
AppArmor profiles can include abstraction files — predefined sets of common permissions grouped by functionality. For example, include grants typical permissions like reading system libraries, resolving DNS, and accessing the fonts directory. include adds name resolution permissions.
Abstractions promote profile reuse and reduce maintenance: instead of specifying every file a network program might need, you include the nameservice abstraction which already covers /etc/resolv.conf, /etc/host.conf, and related resources. When a library or system component is updated and changes its file paths, the abstraction definition is updated once and all profiles using it benefit — rather than having to edit every individual profile.
Setting a domain (e.g., httpd_t) to permissive with semanage permissive -a httpd_t causes all denials for that domain to be logged but not blocked. This means the web server process can do anything allowed by standard Unix permissions regardless of SELinux policy — dramatically reducing the security benefit of SELinux for that process. An attacker who compromises the web server gains full access to anything the process owner (typically www-data or apache) can reach via Unix permissions.
Permissive domains should be used only temporarily during policy development when you need to identify all required permissions. After collecting denials with audit2allow and building a proper policy module, remove the permissive setting with semanage permissive -d httpd_t. In production, always investigate denials and build proper policy modules rather than blanket-permitting domains.
Start by running the server in permissive mode for one full representative workload cycle, collecting all denials with ausearch -m AVC -ts recent > violations.log. Analyze the log with audit2allow to see what the application actually needs. Compare against your current policy with sesearch to understand which rules are missing.
Hardening steps: remove unnecessary rules from your policy module (principle of least privilege); verify only necessary booleans are enabled; check for overly broad transitions (type_transition rules that grant more than needed); ensure file contexts match actual deployment paths; test thoroughly with setenforce 0 (permissive) vs setenforce 1 (enforcing). Use seinfo and sesearch to inspect existing rules and understand what access your policy actually grants.
Targeted policy (the default in RHEL, Fedora, CentOS) applies SELinux enforcement only to specific, high-risk system services (named, httpd, dhcpd, etc.) while leaving most other processes running in an unconfined domain with minimal restrictions. This balances security with usability — critical services are protected while general system operation remains predictable.
Strict policy (mls or targeted with all services confined) enforces MAC on all processes. Every process has a specific SELinux context and must comply with policy rules. This provides maximum security but requires significant policy engineering to get all applications working correctly. Most production environments use targeted policy because strict policy requires maintaining a comprehensive policy for every software package on the system.
aa-genprof is a profile generation tool that runs in learning/report mode. You specify a program to profile, it runs the program in complain mode, logs all operations, and periodically (or on demand) parses the log to generate or update profile rules. The tool presents each logged operation and asks whether to add it to the profile (allow or deny).
The workflow: aa-genprof /usr/bin/myapp — it starts the app and enters a monitoring loop. While it runs, use the application normally (trigger all code paths). Press 'S' to scan the log for new events. For each event, you choose 'Allow' (adds rule) or 'Deny' (adds deny rule). When finished, press 'F' to save the profile. aa-logprof performs a similar function for existing profiles, scanning logs and offering to add new rules.
Further Reading
- Concurrency Fundamentals — The problem space and why synchronization is needed
- Mutex Implementation — How mutexes are implemented in userspace and kernel
- Semaphores — Counting semaphores for resource management
- Readers-Writer Locks — Optimizing for read-heavy workloads
- Lock-Free Structures — Advanced techniques for highly concurrent systems
Conclusion
SELinux and AppArmor implement Mandatory Access Control to provide defense-in-depth beyond standard Unix permissions. SELinux offers label-based enforcement with User, Role, Type, and Level contexts through the SELinux policy language. AppArmor provides path-based profile enforcement that is often simpler to write and understand. Both prevent compromised processes from accessing resources beyond their policy-granted scope, dramatically limiting the blast radius of vulnerabilities. For continued learning, explore the SELinux policy language in depth, study MLS/MCS systems for multi-level security, and examine how container runtimes integrate with MAC systems.
Category
Related Posts
ASLR & Stack Protection
Address Space Layout Randomization, stack canaries, and exploit mitigation techniques
Assembly Language Basics: Writing Code the CPU Understands
Learn to read and write simple programs in x86 and ARM assembly, understanding registers, instructions, and the art of thinking in low-level operations.
Boolean Logic & Gates
Understanding AND, OR, NOT gates and how they combine into arithmetic logic units — the building blocks of every processor.