They both are security related technologies classified as MAC - Mandatory Access Control. SELinux was created by NSA - National Security Agency, while AppArmor become popular after it has adopted by Ubuntu Linux.
The main idea here is to create mechanisms to extend the basic permission schema based on
rwx. Among other things, they offer the ability to restrict access by system process to files, directories, network ports, etc.
AppArmor offers an autolearn mode, which is capable to know how a system should operate, while SELinux brings an enforcing mode by default since CentOS 6.
SELinux stands for Security Enhanced Linux and it can operate in two modes:
enforcing: SELinux will deny access based on its policy rules, a set of guidelines that control its engine.
permissive: SELinux won't deny access, but denials will be logged for actions that would have been denied if running in enforcing mode.
You have the choice to completely disable SELinux, however, it is not recommended these days! It's better to learn how to take advantage of this excellent tool.
You can verify the current operation mode of SELInux using
getenforce command, and you can change it by
setenforce 0 - permissive mode - or
setenforce 1 - enforcing mode. To persist this change across reboots you need to set the
SELINUX variable in the
To set SELINUX from or to
disabledmode you will have to edit the above file and reboot your system.
As a common use case lets see how to change the SSH daemon port from
- Make sure you have the
yum install -y policycoreutils-python
- Tell SELinux that port
2222is allowed to be used by ssh process:
# check all ports managed by SELinux selinux port -l # Customize ssh to run on port 2222/tcp semanage port -a -t ssh_port_t -p tcp 2222 # check all customized ports managed by SELinux semanage -lC
Another common scenario is to change the default allowed
DocumentRoot folder to be used by a web server. Lets add the
/srv/www to the list of the allowed directories:
semanage fcontext -a -t httpd_sys_content_t "/srv/www(/.*)?"
The above command will grant apache read-only access to that directory and its contents.
Finally, to apply the pilicy, making the label change effective immediately):
restorecon -R -v /srv/www
If things are still not working as expected you can look for
AVC string in
You can get more help at SELinux Official Documentation.
AppArmor uses profiles defined in text files instead of policy managed by commands. There are several of them provided out of the box. These profiles are available at
You can check the AppArmor current status by running:
To switch a profile between
enforce modes, like
smbd profile, we can run:
aa-complain /etc/apparmor.d/usr.sbin.smbd aa-enforce /etc/apparmor.d/usr.sbin.smbd
The above commands also accept bash wildcards to change multiple profiles at once.
To entirely disable a profile, we just have to create a link to its file at
/etc/apparmor.d/disable/ directory, like so:
sudo ln -s /etc/apparmor.d/usr.sbin.mysqld /etc/apparmor.d/disable/
You can get more information for AppArmor in Ubuntu AppArmor Community Documentation.