AppArmor is an alternative context-based permissions scheme and MAC implementation for Linux. Whereas SELinux is more commonly associated with RHEL, AppArmor is packaged with Debian-based and SUSE Linux distros. AppArmor provides the same fundamental service as SELinux, but its approach is different in many significant ways. Perhaps the most overarching difference is that SELinux is very complex and often difficult to configure, whereas AppArmor was designed to be much simpler.
Functionally, the main difference is that AppArmor works with file system objects based on paths, whereas SELinux references inodes directly. These paths are referenced in flat configuration files, or profiles, that AppArmor uses to determine how to control access. This also means that there are no types or domains in AppArmor, only these profiles.
To display the current status of AppArmor profiles, use the below command:
# apparmor_status
If you encounter the below error while running the command:
apparmor_status: command not found
you may try installing the below package as per your choice of distribution:
OS Distribution | Command |
---|---|
Debian | apt-get install apparmor |
Ubuntu | apt-get install apparmor |
Arch Linux | pacman -S apparmor |
Kali Linux | apt-get install apparmor |
Raspbian | apt-get install apparmor |
AppArmor PROFILES
Each executable can have an associated AppArmor profile. Profiles are located in the /etc/apparmor.d/ directory. Within this directory are several text files that are named in a path.binary format. For example, the /bin/dig command binary’s AppArmor configuration file would be located at /etc/apparmor.d/ bin.dig. Within a profile, you can configure two main types of rules: capabilities and path entries. Capabilities provide the executable in question access to some sort of system functionality. For example, the net_bind_service capability enables the executable to bind to a well-known TCP/IP port (port numbers below 1024).
Path entries enable the executable to access a specific file on the file system. As the name suggests, you reference the files by their paths. After the path you specify what permissions you want to grant to this executable for the files. There are several possible permissions, including r for read, w for write, ux for unconfined execute (file being accessed doesn’t have a profile), l for link, and so on.
AppArmor MODES
Each profile operates in one of two modes: complain and enforce. In complain mode, profile violations are logged but not prevented. In enforce mode, profile violations are both logged and prevented.
AppArmor TUNABLES
Tunables enable you to configure AppArmor functionality without directly modifying profiles. For example, profiles may reference a common object or path using a variable name, like @{HOME} to refer to the user’s home directory. If the user’s home directory is not in the default location, you can adjust the appropriate tunable file to account for this. Tunable files are located in the /etc/apparmor.d/tunables/ directory.