Linux Security Modules and Mandatory Access Control

2 min read Infrastructure & DevOps Security

Linux Security Modules and Mandatory Access Control

Linux Security Modules (LSM) provide mandatory access control (MAC) beyond traditional discretionary access control. AppArmor and SELinux represent the most common LSM implementations for container security. These systems enforce security policies that even root users cannot override, providing strong containment for compromised containers. Understanding and implementing LSM policies significantly enhances container isolation.

AppArmor provides path-based access control with relatively simple policy syntax. Container runtimes like Docker include default AppArmor profiles that restrict common attack vectors. Custom profiles can further limit container capabilities based on specific application requirements. AppArmor's learning mode helps generate policies by observing application behavior, simplifying policy creation for complex applications.

# Example: Custom AppArmor profile for a web application container
#include <tunables/global>

profile docker-nginx flags=(attach_disconnected,mediate_deleted) {
  #include <abstractions/base>
  
  # Network access
  network inet tcp,
  network inet udp,
  network inet icmp,
  network netlink raw,
  
  # File access
  /usr/sbin/nginx ix,
  /usr/lib/nginx/** r,
  /etc/nginx/** r,
  /var/log/nginx/** rw,
  /var/cache/nginx/** rw,
  /var/run/nginx.pid rw,
  /run/nginx.pid rw,
  
  # Deny access to sensitive files
  deny /etc/passwd r,
  deny /etc/shadow r,
  deny /proc/*/mem r,
  deny /sys/kernel/** r,
  
  # Deny potentially dangerous operations
  deny @{PROC}/** w,
  deny mount,
  deny umount,
  deny pivot_root,
  
  # Allow required capabilities
  capability net_bind_service,
  capability setuid,
  capability setgid,
  capability dac_override,
  
  # Deny all other capabilities
  deny capability,
  
  # Signal permissions
  signal (send) peer=docker-nginx,
  signal (receive) peer=unconfined,
  
  # Temporary file creation
  owner /tmp/** rw,
  owner /var/tmp/** rw,
}

SELinux provides label-based access control with fine-grained security contexts. While more complex than AppArmor, SELinux offers superior granularity for high-security environments. Container platforms can leverage SELinux Multi-Category Security (MCS) to isolate containers automatically. Custom SELinux policies enable precise control over container interactions with host resources.