SELinux & AppArmor
Mandatory Access Control (MAC)
Beyond normal (discretionary) permissions, MAC systems enforce policy the file owner cannot override.
SELinux (RHEL/Fedora)
| Command | Purpose |
|---|---|
getenforce | Current mode |
setenforce 0/1 | Permissive / Enforcing (temporary) |
sestatus | Detailed status |
ls -Z / ps -Z | Show security contexts |
restorecon -Rv /path | Reset contexts to default |
semanage fcontext | Manage context rules |
Modes: Enforcing (blocks), Permissive (logs only), Disabled. Config in /etc/selinux/config.
AppArmor (Ubuntu/SUSE)
Profile-based, path-oriented. aa-status, aa-enforce, aa-complain; profiles in /etc/apparmor.d/.
Exam tip: When a service works with SELinux in permissive but fails in enforcing, it's a context/policy problem - check/var/log/audit/audit.logand userestoreconoraudit2allow.