SELinux (short for Security Enhanced Linux) is a Linux kernel security module that is used to increase security in Linux distributions by hardening access to files and processes. Another similar Linux kernel security module that is used for this purpose is AppArmor. There is a lot of interest in these two modules because of their overlapping roles in access control for Linux operating systems. As such, this article covers the differences between SELinux and AppArmor. Users can then determine which of these modules is best for their needs through a comparison of features and ease of use.
What is SELinux?
Securing servers with SELinux does away with dependency on DAC style access based on actual system users and roles. Instead, it introduces a three-string context system for each process or system user. The three strings, namely username, role, and domain, allow for more flexibility and control over system access.
A process can only be allowed in a specific domain through policy configuration in SELinux. The only exception is when a process is launched into an explicitly defined context through
runcon command. However, if conflicting policies exist for such a process already in configuration, SELinux can deny such a transition into another context. That ensures that SELinux works on the principle of denying by default. Any process or user needs to have an explicit access configuration for a file or system resource before accessing it.
SELinux Operations and Commands
As an extension of common utility commands in the terminal, SELinux provides
-Z switch, which allows for the display of the security context of the files and processes. Commands such as
ls benefit from this switch for quickly debugging or identifying errors in configuration. Below, a screenshot of the
ls command is shown:
The first part of each output line is the domain, the second is the type of object, and the third part is the username in the SELinux configuration. This way, SELinux can provide full control over access to each file and process. The following commands are used to manipulate the context of files and directories:
|chcon -t <Context> <Target File>||Change the context of a target file|
|chcon -R <Context> <Target Directory>||Change context of a target directory (this change is recursive)|
|restorecon -v <Target File>||Restore the context of a file to default|
|restorecon -v -R <Target Directory>||Restore the context of a directory to default (this change is recursive)|
|semanage fcontext -a -t <Context> <REGEX>||Set the default context of a directory to be what the REGEX evaluates to|
For example, if there is a need to change the context of all the files in “/srv/web” directory to “httpd_sys_content_t”, the following command can be used:
sudo semanage fcontext -a -t httpd_sys_content_t “/srv/web(/.*)”
As seen in the screenshot, since this context is already defined for “/srv/web” directory recursively, SELinux displays a message to let the user know. In case it is not defined, a successful
semanage operation does not show any output.
System administrators and users can enable, disable or make SELinux permissible through the use of the
setenforce command. Similarly, to check what the enforcement status is at the moment, users can use the
getenforce command, as shown in the screenshot below:
How to Transfer Files Securely Using SCP in Linux
What is AppArmor?
AppArmor is supported in development by Canonical, the parent company which develops the Ubuntu distribution of Linux. AppArmor aims to be simpler and easier to use than SELinux. Unlike SELinux, AppArmor aims to supplement the access control model of Discretionary Access Control (DAC) as it allows users to create profiles for access control. AppArmor profiles are created in “/etc/apparmor.d/” directory. An AppArmor profile for “/usr/bin/man” process is shown in the screenshot below:
AppArmor Operations and Commands
To see the status of Apparmor,
aa-status command is used. A sample output of the command is shown below:
AppArmor profiles can be listed by listing the directory contents of “/etc/apparmor.d/”, as shown below:
From the above list of profiles, if a user wants to disable the usr.bin.man profile, they can use the following command:
sudo aa-complain /usr/bin/man
Note that a disabled profile is located in the disable subdirectory of the main AppArmor profiles directory. To re-enable a profile that has been disabled, the following command is used:
sudo aa-enforce /usr/bin/man
Ease of Use Between SELinux and AppArmor
AppArmor works with file paths in the filesystem instead of working with strings for each file like SELinux does. One advantage of AppArmor is that the read, write, lock and other file operations are easier to setup than in SELinux. On the other hand, while SELinux provides more features for file access control, the features are implemented at a much lower level in the system. Therefore, users have to learn how to use mknod, network sockets, and other system operations to work with SELinux. This means, for everyone who is not a system administrator, it is much easier to learn how to use AppArmor.
AppArmor also provides a learning mode that is used for logging violations of access control. This mode does not restrict or prevent access in case of a violation, instead collecting data over time to enable the creation of a separate AppArmor profile which is based on the behavior of programs for each recorded access infraction. There is no similar mode available in SELinux.
How to Secure a Linux Home Server
Frequently Asked Questions
What Linux distributions come installed with SELinux and AppArmor?
All the Linux Distributions under the umbrella of RedHat come preinstalled with or offer a setup of SELinux, including RHEL, CentOS, and Fedora. On the other hand, AppArmor comes installed on Debian, Ubuntu, their derivative distributions, and SUSE Enterprise Server and OpenSUSE distributions.
Which security module is the best for a new Linux user?
Most major Linux distributions come with either of the security modules installed by default. Therefore, it is unlikely for a new Linux user not to have a security module out of the box. Comparison of features and ease of use between SELinux and AppArmor show that for power users or system administrators who want finer control over their operating system, SELinux is best, but for everyone else, AppArmor is the better choice.
Are SELinux and AppArmor an alternative to firewalls, antiviruses, and other user or data safety software?
SELinux and AppArmor are not an alternative to antiviruses or well-configured firewalls for system security and data integrity. Therefore, it’s recommended to complement your system with an antivirus program for better protection of data.
Image credits: AppArmor’s Wiki Page and SELinux’s Wiki Page. All screenshots by Zeeman Memon.
Is this article useful?
Subscribe to our newsletter!
Our latest tutorials delivered straight to your inbox