Implementing Mandatory Access Control with SELinux or AppArmor in Linux

Linux has built-in support for two types of Mandatory Access Control (MAC) systems: SELinux and AppArmor. Both systems add an additional layer of access control to the default Discretionary Access Control (DAC) that comes with Linux. In this article, we delve into the implementation of both systems, offering practical examples and their respective outputs.

Understanding SELinux and AppArmor

SELinux, short for Security-Enhanced Linux, is a Linux kernel security module that provides a mechanism for supporting access control security policies. It is a highly flexible MAC system that assigns labels to every object in the system (files, directories, ports, etc.) and uses policies to define the interactions between these objects. SELinux is typically used in situations where robust, complex security policies are required.

On the other hand, AppArmor (Application Armor) is another MAC system that is path-based and somewhat simpler to configure and manage than SELinux. It confines programs according to a set of rules which specify what files and capabilities a program can access. AppArmor is a good choice when ease-of-use and simplicity are key considerations.

Implementing SELinux

Check SELinux Status − First, ensure that SELinux is enabled on your system by running sestatus. The output will reveal the SELinux status and the current enforcing mode.

$ sestatus
SELinux status:         enabled
Current mode:           enforcing

If SELinux is disabled, you will need to enable it and set the mode to 'enforcing'. You can do this by editing the /etc/selinux/config file.

Understanding SELinux Contexts − In SELinux, every file, user, process, and resource has a context that is used to make access decisions. Use ls -Z to list files along with their SELinux contexts.

$ ls -Z /var/www/html/index.html
-rw-r--r--. root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html/index.html

In the above output, system_u:object_r:httpd_sys_content_t:s0 is the SELinux context of the file.

Changing File Contexts − Suppose you want to serve files from a new directory /var/www/new_dir. By default, SELinux will prevent the HTTP server from accessing these files. You can allow access by applying the correct context to the directory using the chcon command.

$ chcon -R -t httpd_sys_content_t /var/www/new_dir

Verify the changes with ls -Z.

$ ls -Z /var/www/new_dir
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /var/www/new_dir

Implementing AppArmor

Check AppArmor Status − Ensure that AppArmor is installed and running with sudo systemctl status apparmor. The output should show that AppArmor is active (running).

$ sudo systemctl status apparmor
● apparmor.service - Load AppArmor profiles
   Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor preset: enabled)
   Active: active (exited) since Mon 2023-06-27 12:34:56 UTC; 1h 10min ago

If AppArmor is not running, start it with sudo systemctl start apparmor.

AppArmor Profiles − AppArmor controls program access through profiles located in /etc/apparmor.d/. List the profiles using sudo aa-status.

$ sudo aa-status
apparmor module is loaded.
14 profiles are loaded.
14 profiles are in enforce mode.

Creating and Enforcing a Profile: Suppose you want to create a profile for the /usr/sbin/nginx program. First, put AppArmor into 'complain' mode for this program using aa-complain.

$ sudo aa-complain /usr/sbin/nginx

Next, use aa-genprof to generate a profile while the program is running.

$ sudo aa-genprof /usr/sbin/nginx

Finally, put the program into 'enforce' mode using aa-enforce.

$ sudo aa-enforce /usr/sbin/nginx

Now, Nginx is running with the specified AppArmor profile, and any violations will be prevented and logged.

Beyond Basic SELinux Implementation

The previous section outlined the basic steps to get started with SELinux, but SELinux can provide more granular access controls and security features.

Booleans − Booleans in SELinux enable or disable access to particular functionalities. For example, suppose you want to allow Apache HTTP Server to make network connections to any destination. This can be done by setting the httpd_can_network_connect boolean.

$ setsebool -P httpd_can_network_connect on

To view the current status of this boolean, use getsebool.

$ getsebool httpd_can_network_connect
httpd_can_network_connect --> on

User Roles and Levels − In SELinux, users are associated with roles, and roles are associated with domains. You can define what resources a user can access by assigning a particular role to that user. Furthermore, SELinux supports multi-level security. This means that you can specify security levels for both users and resources, creating a policy that allows only users with a certain level to access resources at the same level.

Advanced AppArmor Implementation

Just like SELinux, AppArmor also offers additional features beyond its basic functionality −

Subprofiles and Child Profiles − AppArmor allows the creation of subprofiles and child profiles for even greater control over application permissions. For example, if you have a parent profile for a web server, you could create a child profile for the CGI scripts run by that server, limiting the permissions of those scripts.

Network Access Control − AppArmor can control which network resources an application can access. For example, you could create a profile that allows a program to open network connections only to certain IP addresses or ports.

Profile Stacking − AppArmor supports profile stacking, which means that you can apply multiple profiles to a single task. This allows you to combine the rules from different profiles, providing a higher degree of customization and granularity in your access control policies.

Both SELinux and AppArmor are powerful tools for implementing Mandatory Access Control in Linux. The key to their effective use lies in understanding your specific needs and the level of complexity you are willing to manage in your access control policies. By studying the various features and capabilities of each tool, you can choose the one that best suits your situation and provides the greatest degree of protection for your system.

Conclusion

While both SELinux and AppArmor provide robust access control mechanisms, the choice between the two will depend on your specific needs. If you need highly flexible and fine-grained control over every aspect of your system, SELinux is the best choice. However, if you prefer a simpler, more user-friendly approach to security, AppArmor will be more suitable. Remember, securing your system is not a one-time action, but a continuous process of monitoring, updating, and enforcing access control policies.