Preparatory Note
Ubuntu defaults to AppArmor for mandatory access control (MAC), not SELinux. To use SELinux on Ubuntu, you must first install and enable it, which may introduce compatibility considerations with existing AppArmor policies.
Before configuring SELinux, install the necessary packages to support its functionality:
sudo apt update
sudo apt install selinux-basics selinux-policy-default auditd audispd-plugins
The selinux-basics package installs core SELinux utilities, while selinux-policy-default provides a default policy. The auditd suite is required to log SELinux denial events.
After installation, enable SELinux to start enforcing access controls:
setenforce to switch modes without rebooting (takes effect immediately but resets after restart):sudo setenforce 1 # Enable enforcing mode
sudo setenforce 0 # Switch to permissive mode (logs violations without enforcement)
/etc/selinux/config file to set the default mode. Open the file in a text editor (e.g., nano) and update the SELINUX line:sudo nano /etc/selinux/config
SELINUX=enforcing
sudo reboot
Verify the current mode with:
sestatus
The output should show SELinux status: enabled and Current mode: enforcing.
SELinux operates in three modes:
Use setenforce for temporary changes and the /etc/selinux/config file for permanent adjustments.
SELinux uses security contexts (labels) to define access rules for files/directories. Use the semanage fcontext command to modify these contexts:
/home/user1/documents directory to user_home_t (a context for user home directories), run:sudo semanage fcontext -a -t user_home_t "/home/user1/documents(/.*)?"
-a flag adds the rule, and -t specifies the target context.restorecon to apply the new context to the directory and its contents:sudo restorecon -Rv /home/user1/documents
-R flag recursively applies the context, and -v enables verbose output.For granular control (e.g., restricting an application’s access), create custom policies using .te (Type Enforcement) files:
.te File: Create a file (e.g., myapp.te) with rules defining allowed actions. Example: Allow a custom app (myapp_t) to read/write files in /var/www/html:module myapp 1.0;
require {
type httpd_t; # Existing context for web server processes
class file { read write }; # Resource class (files) and permissions
}
# Allow myapp_t to transition to httpd_t and access httpd_sys_rw_content_t files
type myapp_t;
init_daemon_domain(myapp_t, myapp_exec_t)
allow myapp_t httpd_sys_rw_content_t:dir { read write };
checkmodule and semodule_package to compile the .te file into a loadable module, then install it:checkmodule -M -m -o myapp.mod myapp.te
semodule_package -o myapp.pp -m myapp.mod
sudo semodule -i myapp.pp
sudo ausearch -c 'myapp' --raw | grep myapp
.te file and reload the policy.When SELinux blocks an action, it logs the event to /var/log/audit/audit.log. Use these tools to analyze and resolve issues:
sudo ausearch -m AVC -ts recent
sudo aureport -m avc
.te file to allow the required access (e.g., add allow rules for missing permissions) and reload the policy.By following these steps, you can implement mandatory access control on Ubuntu using SELinux. Remember to test policies thoroughly in permissive mode before enforcing them to avoid disrupting system operations.
