Linux
SELinux & AppArmor
25 flashcards · answers and review in the app — launching soon
A daemon already runs under its own restricted account with the right rwx permissions, yet you also want the kernel to stop it touching directories it has no business in even if it is hijacked. What extra layer provides this?
When a running process violates an SELinux rule, many people assume SELinux kills the offending program. What does it actually do?
Administrators frequently switch SELinux off the moment the first problem appears. What two structural criticisms of SELinux drive that reaction?
SELinux is described as resting on two pillars. What are they, and why is the first pillar useless without correct data?
You want to see the SELinux context of a file. Which command shows it, and where is that context physically stored?
A file ended up with the wrong SELinux context. You reach for restorecon vs chcon — what is the practical difference between the two?
You serve HTML from a non-standard directory like /var/myotherserver and want the correct SELinux context to survive future restorecon runs. What's the durable fix?
In SELinux terminology, what is a process's context called, how do you view it, and which part of the context do most rules actually care about?
You need Apache to run CGI scripts but editing the SELinux policy is out of the question. What mechanism lets you adjust behavior without touching rules, and how do you make the change stick?
SELinux has three operating modes. What are they, where are they configured, and which command reports the current one?
You copy a tree of HTML files into /var/www/html with cp -a and Apache suddenly gets permission denied, even though the files look readable. Why does cp -a specifically cause this?
An SELinux denial leaves no obvious trace in the service log or the journal. Which tool digs the real cause out of the audit log, and which package provides it?
A habit from older systems is to fully disable SELinux by setting SELINUX=disabled in /etc/selinux/config. Why can that fail on current systems, and what's the correct way to disable it?
Why is reading and editing an AppArmor profile considered far more approachable than working with an SELinux policy?
In an AppArmor profile, what do the access-right letters r, w, a, l, k, and m each grant?
An AppArmor profile launches a helper program. What's the difference between marking that execution ix, px, and ux?
In AppArmor path rules, a single asterisk and a double asterisk both mean wildcard, but they aren't interchangeable. What's the distinction?
You suspect AppArmor is blocking a program, but the service log says nothing. Where are AppArmor rule violations actually recorded, and how do you spot them?
Your server keeps home directories outside /home and AppArmor rules assume the default. How do you adjust that without rewriting every profile?
On SUSE, AppArmor is the default MAC system and even ships a YaST configuration module. How much extra capability does that GUI module really give you?
SELinux and AppArmor solve the same problem but ship on different distributions by default. Which system is the out-of-the-box choice on which families?
SELinux ties a file's context to extended attributes, which breaks on filesystems without EA support. How does AppArmor sidestep this problem entirely?
AppArmor's path-based rules are simpler than SELinux's labels, so why do Red Hat's security people argue that approach is inherently weaker?
Where do AppArmor profiles live, and which command tells you not just what profiles exist but which processes are actually being monitored right now?
An AppArmor profile can run in enforce mode or complain mode. What's the behavioral difference, and how do you switch a profile between them?