Linux, as an open-source operating system, provides users with various security options. Two critical and powerful security systems that Linux supports are AppArmor and SELinux. This tutorial will guide you through the steps to configure these Linux kernel security features, ensuring an enhanced level of protection for your system.
Before we start, it’s essential to understand that both AppArmor and SELinux offer different approaches to security. While AppArmor confines programs to a limited set of resources, SELinux uses mandatory access controls (MAC) to confine programs. Now, let’s dive into how we can configure these systems.
Configure Linux Kernel Security
AppArmor
1. Check if AppArmor is installed
Before configuring AppArmor, you need to check whether it is already installed on your system. Most Linux distributions have AppArmor pre-installed. You can verify its presence with the following command:
sudo aa-status
If AppArmor is installed, this command will output various information about the loaded profiles.
2. Install AppArmor
If AppArmor is not installed, you can install it using the package manager of your distribution. For Ubuntu, you would use the following command:
sudo apt-get install apparmor
For CentOS, the command would be:
sudo yum install apparmor
3. Configure AppArmor
Now, to configure AppArmor, you have to create profiles for each program that you wish to restrict. These profiles are stored in /etc/apparmor.d/. You can create a profile using any text editor. For example, to create a profile for Firefox, you would use the following command:
sudo nano /etc/apparmor.d/usr.bin.firefox
In this file, you would specify the permissions for Firefox. A basic example of such a profile could be:
#include <tunables/global>
/usr/bin/firefox {
#include <abstractions/base>
network inet tcp,
deny network inet6 tcp,
/usr/bin/firefox ix,
}
This profile allows Firefox to use IPv4 network resources but denies access to IPv6.
Finally, enforce the profile using the following command:
sudo aa-enforce /etc/apparmor.d/usr.bin.firefox
SELinux
1. Check if SELinux is installed
Just like with AppArmor, first, check if SELinux is installed. You can do this with the following command:
sestatus
2. Install SELinux
If it’s not installed, you can install it using your package manager. For Ubuntu:
sudo apt-get install selinux
For CentOS:
sudo yum install selinux
3. Configure SELinux
Configuring SELinux involves defining rules in a policy. The policy file is usually located at /etc/selinux/targeted/policies/. A policy might allow or deny access, depending on the criteria defined in the rules. Here’s a sample policy:
module mynginx 1.0;
require {
type httpd_t;
type var_lib_t;
class file { read getattr open };
}
#============= httpd_t ==============
allow httpd_t var_lib_t:file { read getattr open };
This policy allows the httpd_t process (usually the web server) to read files labeled with var_lib_t. To compile and install the module, use the following commands:
checkmodule -M -m -o mynginx.mod mynginx.te
semodule_package -o mynginx.pp -m mynginx.mod
sudo semodule -i mynginx.pp
This tutorial provides a basic introduction to configuring security features in the Linux kernel, specifically AppArmor and SELinux. For further details, refer to the official documentation: AppArmor Documentation and SELinux Documentation.
Related Articles:
