SELinux & AppArmor
Objective
Understand mandatory access control with SELinux and AppArmor, interpret denials, and write policies.
Tools & Technologies
SELinuxAppArmorgetenforceaa-statusaudit2allow
Key Commands
getenforcesestatussetenforce 1aa-statusaa-complain /etc/apparmor.d/usr.sbin.nginxArchitecture Overview
flowchart TD
PROCESS[Process requests\nfile access] --> DAC{DAC check\ntraditional permissions}
DAC -->|DENY| BLOCK[Access Denied]
DAC -->|ALLOW| MAC{MAC check\nSELinux/AppArmor}
MAC -->|policy allows| OK[Access Granted]
MAC -->|policy denies| AVC[AVC denial logged\n/var/log/audit/audit.log]
AVC -->|enforcing| BLOCK
AVC -->|permissive| WARN[Allowed but warned]
style MAC fill:#1a1a2e,stroke:#00d4ff,color:#e0e0e0
style AVC fill:#1a1a2e,stroke:#ffd700,color:#ffd700
Step-by-Step Process
01
SELinux Basics (RHEL/CentOS)
Understand modes and contexts.
getenforce # Enforcing / Permissive / Disabled
sestatus # detailed status
# Temporarily permissive (for debugging)
setenforce 0
# Re-enable
setenforce 1
# Check file context
ls -Z /var/www/html
# Check process context
ps -eZ | grep nginx02
Fix SELinux Denials
Diagnose AVC denials and create allow rules.
# View denials
avc_deny -t 1h | head
cat /var/log/audit/audit.log | grep denied
# Suggest policy
audi2allow -a -M mypolicy < /var/log/audit/audit.log
semodule -i mypolicy.pp
# Restore default context
restorecon -Rv /var/www/html03
AppArmor Basics (Ubuntu/Debian)
Manage AppArmor profiles.
aa-status # show profile status
aa-complain /etc/apparmor.d/usr.sbin.nginx # complain mode
aa-enforce /etc/apparmor.d/usr.sbin.nginx # enforce mode
# View denials
journalctl | grep apparmor | tail
# Generate profile
aa-genprof /usr/bin/myappChallenges & Solutions
- SELinux denials in enforcing mode are not just warnings — they block access
- Disabling SELinux entirely (SELINUX=disabled) requires reboot and relabeling
Key Takeaways
- Always use audit2allow to generate policies — don't write them from scratch
- Permissive mode still logs denials — use it to test before enforcing