OS Security Hardening: SELinux, AppArmor, and seccomp Explained
Learn how SELinux, AppArmor, and seccomp enforce mandatory access control and sandboxing in Linux.
20+ years shipping production systems from the metal up. Written from production experience, not tutorials.
- ✓Basic Linux command-line skills
- ✓Understanding of file permissions and processes
- ✓Familiarity with Docker (for seccomp examples)
- SELinux, AppArmor, and seccomp are Linux security modules that restrict processes beyond traditional Unix permissions.
- SELinux uses a security policy with labels and rules for fine-grained control; AppArmor uses path-based profiles.
- seccomp limits system calls a process can make, reducing kernel attack surface.
- These tools prevent privilege escalation and contain breaches even if an application is compromised.
- They are critical for container security (Docker, Kubernetes) and multi-tenant environments.
Imagine a building with a security guard (traditional permissions) who checks IDs at the entrance. SELinux and AppArmor are like additional guards inside each room who check a detailed badge (security context) before allowing any action. seccomp is like a list of allowed tools a worker can use—if they try to use a banned tool, the guard stops them. Together, they ensure that even if an intruder gets past the front door, they can't roam freely or use dangerous tools.
In the world of Linux security, traditional Unix permissions (read, write, execute) are like a single lock on the front door. Once a user or process is authenticated, they can access almost any resource within their user ID's scope. But what if a vulnerability allows an attacker to execute code as a legitimate user? That's where Mandatory Access Control (MAC) systems like SELinux and AppArmor come in. They enforce security policies that restrict what processes can do, regardless of the user's identity. Additionally, seccomp (secure computing mode) limits the system calls a process can make, drastically reducing the kernel attack surface. These three tools are the backbone of modern Linux security, used in everything from Android to cloud containers. In this tutorial, you'll learn how they work, how to configure them, and how to debug issues when they block legitimate operations. We'll also walk through a real-world production incident where a misconfigured SELinux policy caused a major outage, and how to avoid similar pitfalls.
What is SELinux?
SELinux (Security-Enhanced Linux) is a mandatory access control (MAC) system built into the Linux kernel. It was originally developed by the NSA to enforce the principle of least privilege. Every process and file has a security context (e.g., user:role:type:level). SELinux policies define rules that allow or deny operations based on these contexts. For example, a web server process with type httpd_t can only read files labeled httpd_sys_content_t. Even if the process runs as root, it cannot access files with a different label. This confinement limits damage from exploits. SELinux can run in enforcing mode (deny and log), permissive mode (log only), or disabled. Most Linux distributions (RHEL, Fedora, CentOS) ship with SELinux enabled by default.
restorecon after deployment.What is AppArmor?
AppArmor (Application Armor) is another MAC system, but it uses path-based profiles instead of security labels. Each profile defines what files, capabilities, and network access a program can have. For example, a profile for /usr/sbin/nginx might allow read access to /var/www/html/ and write access to /var/log/nginx/. AppArmor is simpler to configure than SELinux and is the default on Ubuntu and Debian. Profiles can be in enforce mode (deny and log) or complain mode (log only). AppArmor is often used in container runtimes like LXD and Docker (via AppArmor profiles).
What is seccomp?
seccomp (secure computing mode) is a Linux kernel feature that restricts the system calls a process can make. It is not a MAC system; it operates at the syscall level. seccomp can be used in two modes: strict mode (only read, write, exit, sigreturn) and filter mode (using BPF to define allowed syscalls). seccomp is commonly used in container runtimes (Docker, runc) to reduce the kernel attack surface. For example, a container might be allowed to call open, read, write, but not mount or reboot. If a process attempts a blocked syscall, it is killed with SIGSYS or the syscall fails with an error. seccomp is essential for sandboxing untrusted code.
strace to identify required syscalls and build a minimal profile.Comparing SELinux, AppArmor, and seccomp
While all three enhance security, they operate at different layers. SELinux and AppArmor are MAC systems that control access to files, capabilities, and inter-process communication. seccomp controls system calls. SELinux uses labels and a centralized policy; AppArmor uses path-based profiles; seccomp uses BPF filters. SELinux is more complex but offers finer granularity (e.g., type enforcement, multi-level security). AppArmor is simpler and easier to manage. seccomp is lightweight and often used in containers. In practice, you might use SELinux or AppArmor for host-level confinement and seccomp for additional syscall filtering in containers.
Practical Configuration Examples
Let's walk through a practical scenario: securing a web server. We'll configure SELinux to allow Apache to read files in /var/www/html and connect to a database. Then we'll create an AppArmor profile for the same. Finally, we'll add a seccomp filter for the Apache process. For SELinux, we need to ensure the file context is httpd_sys_content_t and enable the httpd_can_network_connect boolean. For AppArmor, we create a profile in /etc/apparmor.d/usr.sbin.httpd. For seccomp, we use a Docker container with a custom profile.
audit2allow to generate custom SELinux policies from denials.Debugging and Troubleshooting
When an application fails due to SELinux, AppArmor, or seccomp, the symptoms often look like permission errors. For SELinux, check /var/log/audit/audit.log with ausearch. Use audit2why to get a human-readable explanation. For AppArmor, check /var/log/syslog or dmesg. Use aa-status to see profile modes. For seccomp, check dmesg for 'seccomp' messages. Temporarily set SELinux to permissive or AppArmor to complain to identify the exact denial. For seccomp, use strace to see which syscall is blocked. Always revert to enforcing/enforce mode after debugging.
auditd and fail2ban to detect and respond to security denials quickly.The SELinux Policy That Took Down a Web Farm
restorecon -v /var/www/html/index.html and verified with ls -Z.- Always check SELinux context when files are moved or copied from non-standard locations.
- Use
audit2whyandaudit2allowto interpret SELinux denials. - Set SELinux to permissive mode temporarily for debugging, but never in production.
- Automate context restoration in deployment scripts.
- Monitor SELinux audit logs (ausearch) proactively.
ausearch -m avc -ts recent. Use audit2why to get human-readable explanation.dmesg for 'apparmor' entries. Use aa-status to see loaded profiles. Temporarily set profile to complain mode: aa-complain /path/to/profile.strace to identify blocked syscall. Adjust seccomp filter or add allowed syscall.ausearch -m avc -ts recentaudit2why < /var/log/audit/audit.log| File | Command / Code | Purpose |
|---|---|---|
| selinux_check.sh | sestatus | What is SELinux? |
| apparmor_check.sh | sudo aa-status | What is AppArmor? |
| seccomp_example.sh | cat /proc/sys/kernel/seccomp/actions_avail | What is seccomp? |
| configure_web_server.sh | sudo setsebool -P httpd_can_network_connect on | Practical Configuration Examples |
| debug_security.sh | sudo ausearch -m avc -ts recent | audit2why | Debugging and Troubleshooting |
Key takeaways
Common mistakes to avoid
3 patternsDisabling SELinux because it's 'too hard'
Setting file permissions to 777 to fix 'Permission denied'
Using a too-restrictive seccomp profile that breaks the application
Interview Questions on This Topic
Explain the difference between DAC and MAC.
Frequently Asked Questions
20+ years shipping production systems from the metal up. Written from production experience, not tutorials.
That's Operating Systems. Mark it forged?
3 min read · try the examples if you haven't