Introduction
Mandatory Access Control (MAC) systems, like AppArmor and SELinux, allow sysadmins to grant or deny access to resources and control systems built into the Linux kernel. While both perform the same tasks, these systems work differently and offer various features.
This article explains AppArmor vs. SELinux differences and shows the main features of the two systems.
AppArmor vs. SELinux
Both SELinux and AppArmor provide security tools that isolate applications and limit access to an attacker that has compromised one part of the system.
AppArmor works by granting access first, then applying restrictions. SELinux, however, restricts access to all applications by default and grants access only to users that present the proper certifications.
The two systems have many features in common but also some differences:
Point of Comparison | AppArmor | SELinux |
---|---|---|
Access control | Uses security profiles based on paths. | Uses security policies based on file labels. |
Availability | Available for any distribution, but mainly used on SUSE and Ubuntu. | Available for any distribution but primarily used on RHEL/Fedora systems. |
Difficulty to learn | A shorter learning curve, easier to set up and administer. | More complex and less intuitive. |
Independent verification | Possible. | Not possible. |
Requires complex configuration | No. | Yes. |
MLS/MCS | No. | Yes. |
System performance impact | None, but the start-up time is longer. | None. |
Policy rules | Lacks flexibility. | Flexible. |
Level of control | Medium. | High. |
AppArmor
AppArmor is a practical Linux security module that has been included by default with Ubuntu since version 7.10. The module allows developers to restrict applications from using specific files. Hence, AppArmor prevents any damage to potentially vulnerable applications and protects easy-to-exploit software, like web servers.
The module uses security profiles to determine what permissions the application requires. Profiles are text files loaded into the kernel, typically on boot.
AppArmor enforces two main types of rules in profiles:
- Path entries. They determine which files an application can access.
- Capability entries. These rules specify the privileges a confined process is allowed to use.
Profiles are designed to confine specific apps and they work in two modes. In the
- Complain mode. In this mode, the system reports policy violation attempts but does not enforce rules.
- Enforce mode. In Enforce mode, the new profile is inspected and all violations are stopped.
AppArmor consists of the following components:
- Server analyzer. Scans ports and locates applications listening to them automatically. It also detects applications without profiles and those that AppArmor needs to confine.
- Profile generator. A static process that analyzes applications and creates a profile template.
- Optimizer. This component logs and gathers events into the profile of normal behavior.
Apart from Ubuntu, AppArmor runs on Debian, SUSE Enterprise Server, OpenSUSE distributions, and other distributions by default. To verify the module status, run the following:
sudo apparmor_status
The output shows that AppArmor is active on the system. The command also prints the list of installed profiles and the active confined processes.
Advantages of AppArmor
The main advantages of AppArmor are the simplicity and short learning curve. This module is far less complex than SELinux, making it easier to set up and manage.
The tool works directly with profiles (text files) for access control, and file operations are more straightforward. This feature makes AppArmor more user-friendly than SELinux with its security policies.
Thanks to the path-based implementation, AppArmor protects any file on the system and allows for rules to be specified even for files that do not exist yet. The program's learning mode makes AppArmor adaptable to changes and enforces preferred application behavior.
Drawbacks of AppArmor
With AppArmor, more than one path can refer to the same application. These different paths to the same executable create multiple profiles for one app, which is a potential security issue.
Furthermore, AppArmor's greatest strength, simplicity, is also why the program is considered less secure.
AppArmor doesn't have Multi-Level Security (MLS) and Multi-Category Security (MCS). The lack of MCS support makes AppArmor almost ineffective in environments requiring MLS.
Another drawback is that the policy loading also takes longer, so the system starts up slower.
SELinux
SELinux (Security Enhanced Linux) is a Linux security module built into the Linux kernel. The system gives sysadmins more control over who has access to the resources.
SELinux assigns labels to the system's files, processes, and ports. Label type is vital for targeted policies, while type enforcement is the second most crucial concept in SELinux.
Labeling serves as a grouping mechanism that gives files and processes different types of labels. The type enforcement security model helps SELinux determine whether a process with a particular label type has access to a file with another label type.
The system restricts access by default (as opposed to AppArmor). Users must be properly configured to access any resource.
SELinux cashes previous decisions in the Access Vector Cache (AVC), for example, allowing or restricting access. Cashing decisions speeds up the access control process. For instance, if an application tries to access a file, SELinux checks against the AVC and permits or denies access based on the previous decision.
RHEL, CentOS, and Fedora have SELinux installed or available by default. To find out the current status of SELinux, execute the following:
sudo sestatus
Note: Follow our guides to enable SELinux on CentOS or to disable SELinux on CentOS.
Advantages of SELinux
Despite (and due to) the complex policies, SELinux is considered the more secure option for Linux security.
Labeling and type enforcement allow SELinux to grant access only if a policy rule allows it. This process implements a more robust and in-depth access control.
By being MLS-compatible, SELinux offers better access features. For instance, one of the basic MLS principles is that users can only read files at their sensitivity level and lower. However, with SELinux, sysadmins can read and write files at their own and lower sensitivity levels.
By default, the system separates files from each other and the host and maintains the separation. For instance, a file has different sets of permissions for:
- The owner (user).
- A group holding the file.
- Other users/groups accessing the file.
Note: Caching access decisions is also a significant benefit as the process improves efficiency.
Drawbacks of SELinux
SELinux provides sysadmins with a versatile access control tool. However, this security module has some disadvantages.
SELinux is quite difficult to learn, set up, and manage. While the program efficiently controls access to applications and files, troubleshooting potential issues is difficult for beginners. It is not always easy to determine what an error message actually means and where to look for the issue. Overall, SELinux is not user-friendly and non-experienced admins may face a steep learning curve.
Important: SELinux often denies an action if files are incorrectly labeled.
Conclusion
After reading this text, you know the advantages and drawbacks of SELinux and AppArmor. Both systems offer different approaches to Linux security and protect machines against unauthorized access and modification of system resources.
You might want to learn about other ways to protect your system, like using immutable backups to fight ransomware or different procedures for database protection.