Implementing Mandatory Access Control with SELinux or AppArmor in Linux

Linux has built-in support for two types of Mandatory Access Control (MAC) systems: SELinux and AppArmor. Both systems add an additional layer of access control to the default Discretionary Access Control (DAC) that comes with Linux. In this article, we delve into the implementation of both systems, offering practical examples and their respective outputs.

Understanding SELinux and AppArmor

SELinux (Security-Enhanced Linux) is a Linux kernel security module that provides a mechanism for supporting access control security policies. It is a highly flexible MAC system that assigns labels to every object in the system (files, directories, ports, etc.) and uses policies to define the interactions between these objects. SELinux is typically used in situations where robust, complex security policies are required.

AppArmor (Application Armor) is another MAC system that is path-based and somewhat simpler to configure and manage than SELinux. It confines programs according to a set of rules which specify what files and capabilities a program can access. AppArmor is a good choice when ease-of-use and simplicity are key considerations.

Implementing SELinux

Check SELinux Status First, ensure that SELinux is enabled on your system by running sestatus. The output will reveal the SELinux status and the current enforcing mode.

$ sestatus
SELinux status:         enabled
Current mode:           enforcing

If SELinux is disabled, you will need to enable it and set the mode to 'enforcing'. You can do this by editing the /etc/selinux/config file.

Understanding SELinux Contexts In SELinux, every file, user, process, and resource has a context that is used to make access decisions. Use ls -Z to list files along with their SELinux contexts.

$ ls -Z /var/www/html/index.html
-rw-r--r--. root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html/index.html

In the above output, system_u:object_r:httpd_sys_content_t:s0 is the SELinux context of the file.

Changing File Contexts Suppose you want to serve files from a new directory /var/www/new_dir. By default, SELinux will prevent the HTTP server from accessing these files. You can allow access by applying the correct context to the directory using the chcon command.

$ chcon -R -t httpd_sys_content_t /var/www/new_dir

Verify the changes with ls -Z.

$ ls -Z /var/www/new_dir
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /var/www/new_dir

Implementing AppArmor

Check AppArmor Status Ensure that AppArmor is installed and running with sudo systemctl status apparmor. The output should show that AppArmor is active (running).

$ sudo systemctl status apparmor
? apparmor.service - Load AppArmor profiles
   Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor preset: enabled)
   Active: active (exited) since Mon 2023-06-27 12:34:56 UTC; 1h 10min ago

If AppArmor is not running, start it with sudo systemctl start apparmor.

AppArmor Profiles AppArmor controls program access through profiles located in /etc/apparmor.d/. List the profiles using sudo aa-status.

$ sudo aa-status
apparmor module is loaded.
14 profiles are loaded.
14 profiles are in enforce mode.

Creating and Enforcing a Profile Suppose you want to create a profile for the /usr/sbin/nginx program. First, put AppArmor into 'complain' mode for this program using aa-complain.

$ sudo aa-complain /usr/sbin/nginx

Next, use aa-genprof to generate a profile while the program is running.

$ sudo aa-genprof /usr/sbin/nginx

Finally, put the program into 'enforce' mode using aa-enforce.

$ sudo aa-enforce /usr/sbin/nginx

Now, Nginx is running with the specified AppArmor profile, and any violations will be prevented and logged.

Advanced SELinux Features

Booleans Booleans in SELinux enable or disable access to particular functionalities. For example, suppose you want to allow Apache HTTP Server to make network connections to any destination. This can be done by setting the httpd_can_network_connect boolean.

$ setsebool -P httpd_can_network_connect on

To view the current status of this boolean, use getsebool.

$ getsebool httpd_can_network_connect
httpd_can_network_connect --> on

User Roles and Levels In SELinux, users are associated with roles, and roles are associated with domains. You can define what resources a user can access by assigning a particular role to that user. Furthermore, SELinux supports multi-level security, allowing you to specify security levels for both users and resources.

Advanced AppArmor Features

Subprofiles and Child Profiles AppArmor allows the creation of subprofiles and child profiles for even greater control over application permissions. For example, if you have a parent profile for a web server, you could create a child profile for the CGI scripts run by that server, limiting the permissions of those scripts.

Network Access Control AppArmor can control which network resources an application can access. For example, you could create a profile that allows a program to open network connections only to certain IP addresses or ports.

Profile Stacking AppArmor supports profile stacking, which means that you can apply multiple profiles to a single task. This allows you to combine the rules from different profiles, providing a higher degree of customization and granularity in your access control policies.

Comparison

Conclusion

Both SELinux and AppArmor provide robust Mandatory Access Control mechanisms for Linux systems. SELinux offers highly flexible and fine-grained control ideal for enterprise environments requiring complex security policies. AppArmor provides a simpler, more user-friendly approach suitable for general-purpose security hardening. The choice depends on your security requirements, administrative expertise, and system complexity.