AppArmor and Selinux

Quick to answer questions about finding your way around Linux Mint as a new user.
Forum rules
There are no such things as "stupid" questions. However if you think your question is a bit stupid, then this is the right place for you to post it. Stick to easy to-the-point questions that you feel people can answer fast. For long and complicated questions use the other forums in the support section.
Before you post read how to get help. Topics in this forum are automatically closed 6 months after creation.
Locked
yamadataro

AppArmor and Selinux

Post by yamadataro »

Hi, I'm a Windows user and aspiring Linux migrant. I've been looking at several distros and reading up on anything I should know, and I came across some security issues. Sorry if this sounds idiotic. :-)

While Linux is far more secure than Windows, years of trauma with viruses and other malware has given me this thing about keeping my PC secure (trauma-induced paranoia?). I'd read up on iptables, AppArmor and Selinux, and from what I was able to grasp (not much, I think, correct me if I'm wrong), the latter two are programs (?) you add on top of the system. The same way you put a firewall on top of a Windows PC. And since I'm not only a Linux newbie but also barely above a newbie in terms of computers in general, I don't think I'd want to have to deal with something advanced like Selinux. From what I know, AppArmor is more user-friendly than Selinux except that it's not recommended for real newcomers like me to tinker with, and anyway, Selinux seems more trouble than it's worth.

But I tried out some Live CDs of Linux Mint 11 (and Ubuntu) and saw a selinux folder under filesystems. But I read in this forum, in a post amde some years ago (so I don't know if that's still applicable) that Selinux doesn't come pre-installed at least with Linux Mint -- but what is a Selinux folder doing in the filesystems folder if it's not?

Are there more newbie-friendly applications I can use instead of AppArmor and Selinux?
Last edited by LockBot on Wed Dec 28, 2022 7:16 am, edited 1 time in total.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
User avatar
xenopeek
Level 25
Level 25
Posts: 29507
Joined: Wed Jul 06, 2011 3:58 am

Re: AppArmor and Selinux

Post by xenopeek »

selinux folder I think is there as a placeholder, for compatibility reasons perhaps.

To improve security there are three areas you want to consider:
1. Security against internet threats
2. Security against software threats
3. Security against physical threats

1. Security against internet threats
For the first, activate your firewall, set it to default deny, and you will be blocking most unsolicited incoming traffic (that is, data coming to your machine without you having requested it--i.e., somebody trying to see if you have services running that they can hack). If you go to Menu > Control Center > Firewall Configuration, unlock it and put a checkmark on enabled you are up and running. Usually your broadband modem also has a built-in firewall, so you were already protected. But better safe than sorry (defense in depth is a good thing; having multiple layers of defenses).

With "sudo ufw show listening" command run from a terminal, you can see which services are listening to internet ports. On the default installation that is quite a lot. If you take steps, you can reduce it to only dhclient listening on UDP port 68. You need that to get an IP address from your broadband modem (unless you take the step to give your machine a fixed IP address). If you do not need interoperability with Windows or Apple computers, you can disable the Samba (for Windows) and Avahi (for Apple, but also Linux applications like Giver) services.

Code: Select all

# Disable Samba (Windows networking)
sudo initctl stop nmbd
echo manual | sudo tee -a /etc/init/nmbd.override

sudo initctl stop smbd
echo manual | sudo tee -a /etc/init/smbd.override

# Disable Avahi (Zeroconf)
sudo initctl stop avahi-daemon
echo manual | sudo tee -a /etc/init/avahi-daemon.override
You can do a remote ports probe to test your current security. You can check the status of your firewall with "sudo ufw status verbose".

2. Security against software threats
The difference between Linux and Windows is that you can install most software that you need from a trusted source, through the Software Manager from the software repositories of the Linux Mint team and the Ubuntu team. On Windows, if you don't know what you are doing, you download it from who knows where, and surprise surprise it is either malware, spyware, installs a rootkit or it carries a virus. But just as on Windows, if you install software from all kinds of locations, randomly downloaded from the internet, you are just as easy a target on Linux (though the amount of malicious software is less, as Linux is not a primary target due to the low marketshare--Windows and Apple are much more interesting targets). So only install software from trusted sources, preferably through the Software Manager, and that would be your first line of defense (the same strategy applies to Windows, but you don't have a central repository from which you can get your software).

Linux has an advanced filesystem level security model, where files can be locked down so they can only be executed, written to or read by the owner of the file, or a specific group of users. If you are logged in with you normal account, you can not access system files or system configuration. You can only access your personal files and your personal settings for applications. You are asked to provide your password to do any more than that. Any application is held to the same restrictions.

While that is a good defense against users or programs touching files that they shouldn't, AppArmor and SELinux go much further than that. Basically AppArmor is there to protect the application itself; the application is restricted to be able to do only that which it needs to do. Instead of the filesystem based security model, where you can either say "everybody can access this file" or "only this user or group of users can", AppArmor has a security profile for each application and restricts that application to only doing what it should according to the security profile--on top of the filesystem level security. So even if everybody is allowed to access all files, but this application only needs to be able to access one specific file--it will be prevented by AppArmor from accessing any file other than that one--even though the filesystem level security would have allowed the application to do it. This protects you against bugs in the software, any malicious code that was added by a third party, and also against internet attacks against that application if it connects to the internet.

I don't have experience with SELinux, but it goes much further than AppArmor (hey, it was designed at the NSA :wink:). It is also much harder to configure.

AppArmor is relatively easy. To get started, install some standard profiles and enable them all. The latter two commands tell you the status of apparmor and which applications are running unconfined by apparmor.

Code: Select all

sudo apt-get install apparmor-profiles
sudo aa-enforce /etc/apparmor.d/*
sudo apparmor_status
sudo aa-unconfined
To learn more about AppArmor, visit:
https://wiki.ubuntu.com/SecurityTeam/FAQ
https://help.ubuntu.com/community/AppArmor
https://wiki.ubuntu.com/SecurityTeam/Kn ... orProfiles

3. Security against physical threats
Lastly, you should consider physical threats. Who has physical access to your machine while you are away? Can you trust those persons not to do things they shouldn't on your machine? With physical access, a password is not needed to become root and unless you have an encrypted home folder all your personal files can be accessed. Even with an encrypted home folder, or unsafe full disk encrypted (safe full disk encryption is when /boot is on a USB stick you keep with you so the machine can't be booted without the USB stick), software could be installed on your machine to run as root and "phone home" the keys you press or your files, after you have logged in to your encrypted system.
Image
yamadataro

Re: AppArmor and Selinux

Post by yamadataro »

I see. Thanks a lot!
aes2011
Level 4
Level 4
Posts: 498
Joined: Wed Jul 06, 2011 10:39 pm

Re: AppArmor and Selinux

Post by aes2011 »

xenopeek wrote:...
AppArmor is relatively easy. To get started, install some standard profiles and enable them all. The latter two commands tell you the status of apparmor and which applications are running unconfined by apparmor.

Code: Select all

sudo apt-get install apparmor-profiles
sudo aa-enforce /etc/apparmor.d/*
sudo apparmor_status
sudo aa-unconfined
...
Hi,

Code: Select all

sudo aa-unconfined
gives this error:

Code: Select all

sudo: aa-unconfined: command not found
User avatar
xenopeek
Level 25
Level 25
Posts: 29507
Joined: Wed Jul 06, 2011 3:58 am

Re: AppArmor and Selinux

Post by xenopeek »

The commands previously shared worked on Linux Mint 11. At least on Linux Mint 13 I see that apparmor is by default not installed. To get all the commands working, make sure you have installed also apparmor-utils:

Code: Select all

sudo aptitude install apparmor-utils
With apparmor-utils also installed, you get the aa-unconfined command.
Image
Locked

Return to “Beginner Questions”