An up-to-date Linux system is very secure, with built-in protection from virus attacks and other essential security features. However, in today’s world of remote access and international e-commerce, the stakes are high, and some CIOs and network managers want to know if they can make their Linux systems even safer. Another option for adding another layer of security to your Linux environment is to integrate Mandatory Access Control (MAC).
Mandatory Access Control is a concept that grew out of the multilevel security systems used for military secrets and other privileged information. The best way to understand MAC is to consider how it differs from the conventional Unix-based Discretionary Access Control (DAC) systems used in off-the-shelf Linux environments.
A traditional Linux system assigns read/write/execute privileges to a resource and lets the owner or administrator grant access to users and groups. A superuser (often called the “root” user) has complete control over the system and can access or grant access to any resource. If everyone behaves and no one makes a mistake, it’s flexible, easy to understand, and very secure. But what if the owner of a resource inadvertently gives access to someone who shouldn’t have it? Or, perhaps more importantly, what if the user account is compromised, and an intruder exploits the flexibility built into the DAC system to escalate privileges?
The presence of the all-powerful “root” account is another feature that is inconsistent with the granular security principles used in highly secure organizations. Highly-secure environments tend to assign roles to system administrators based on precise responsibilities. Mandatory Access Control lets you create policies that give users the minimum necessary privileges and prevent changes and privilege escalation. Everything in IT has a cost, so before you adopt a system for Mandatory Access Control, be sure it is what you need. The loss of flexibility can add overhead and complications for business processes, sometimes forcing administrative intervention for what would otherwise be an ordinary task.
The two most popular tools for mandatory access control in Linux are SELinux and AppArmor. Red Hat-based distros such as CentOS 7 and CentOS 8 are pre-configured for SELinux. Ubuntu and openSUSE use AppArmor; however, developers can always uninstall AppArmor and set up SELinux if you are more accustomed to it or feel it will work better for your environment. AppArmor and SELinux both take the form of Linux kernel modules and can be configured to run on most major Linux systems, although the degree of technical support can vary.
In general, AppArmor is easier to configure and operate; however, although AppArmor is very safe—and significantly safer than operating without a mandatory access control framework—SELinux provides a deeper and more versatile level of protection. AppArmor is designed for protecting files and other resources; however, it does not offer equivalent protection for processes. Also, because AppArmor references resources by path, an intruder who is already on the system could theoretically play some tricks with hard links that wouldn’t be possible using the inode-based SELinux.
SELinux was originally developed based on research by the National Security Agency (NSA), a national-level intelligence agency of the United States Department of Defense. It offers a more airtight approach to access control. However, because it is more difficult to configure and operate, expect it to require additional configuration time and a longer learning curve for IT staff.
With team buy-in, the benefits of a MAC are many and can pave the way for a security-first awareness that’s felt through an entire company structure.
“an intruder who is already on the system could theoretically play some tricks with hard links that wouldn’t be possible using the Linode-based SELinux.”
That should probably be “inode-based”.
Hey Rudolph – thanks for bringing this to our attention! I’ll let our team know so that they can review this.