Vulnarex | Elite Cybersecurity Learning Platform

#Mandatory Access Control: The Jail That Contains Even Root#link

When an Apache vulnerability lets an attacker gain a shell as the www-data user, traditional DAC permissions say 'sorry, you're not root.' But what if www-data can read /etc/shadow due to a misconfiguration? MAC systems like AppArmor and SELinux enforce kernel-level policies that confine processes to a strict set of capabilities, even if they escape to root. This lesson demystifies modes, policy creation, and debugging so you can confidently enforce MAC.

SELinux: Enforcing vs. Permissive vs. Disabled

SELinux operates in three modes: Enforcing (policy is applied, violations are denied and logged), Permissive (violations are logged but allowed—useful for debugging), and Disabled (completely off). The goal is always Enforcing with a targeted policy that confines network-facing services. Check mode with getenforce, and change temporarily with setenforce 0/1. Permanent configuration is in /etc/selinux/config.

Check and toggle SELinux mode

root@vulnarex:~#getenforce && sudo setenforce 0 && getenforce && sudo setenforce 1

This sequence is useful for temporarily debugging an application without disabling SELinux entirely. Remember to revert to Enforcing.

bash

# Check SELinux denials (AVC logs)
sudo grep avc /var/log/audit/audit.log | tail -5
# Use audit2allow to generate a policy module from denials
sudo grep avc /var/log/audit/audit.log | audit2allow -M myapp
sudo semodule -i myapp.pp

AppArmor: Profiles and Complain/Learn Modes

AppArmor (default on Ubuntu) works by applying profiles to executables. Profiles can be in enforce mode (policy enforced) or complain mode (violations logged, not blocked). Use aa-status to see loaded profiles. The tool aa-genprof can generate a new profile by learning application behavior. AppArmor profiles are easier to write than SELinux policies but offer less granularity.

List AppArmor profiles and set a profile to complain

root@vulnarex:~#sudo aa-status && sudo aa-complain /usr/sbin/nginx && sudo aa-status | grep nginx

info

💡 Always test new policies in complain/permissive mode first. A misconfigured policy can break services. Use tools like 'aa-logprof' to review denials and update profiles.

Feature	SELinux	AppArmor
Policy model	Type enforcement (TE) + MLS	Path-based, per-executable profiles
Complexity	High (labels, transitions, booleans)	Moderate (profile files)
Kernel integration	Deep (hooks in LSM, labeled networking)	LSM module
Tools	semanage, audit2allow, restorecon	aa-genprof, aa-logprof, aa-complain

Booleans and Conditional Policies

SELinux booleans allow you to toggle specific policy rules without rewriting policies. For example, httpd_can_network_connect allows web server outbound connections. List all booleans with getsebool -a, set with setsebool -P. AppArmor uses profile tunables and variables for similar conditional behavior.

▪Never disable SELinux/AppArmor; if troubleshooting, temporarily switch to permissive/complain.
▪Run aa-logprof or audit2allow after application changes to update policies.
▪Set SELinux booleans according to service needs; document changes.
▪Integrate MAC status into monitoring: alert if a host drops from enforcing to permissive.

STRICT SECURE AUDIT RULE

⚠️ Running in Permissive mode in production logs violations but doesn't protect. An attacker who exploits a service can still perform actions that would normally be denied. Only use it for debugging.

quiz BLOCK (★ 50 XP)

A web application needs to connect to an external database. SELinux is in enforcing mode and the connection fails. What is the safest fix?

Select your proof vectors above

challenge BLOCK (★ 100 XP)

MAC Policy Drill