An Introduction Into Linux Security Modules

An Introduction Into Linux Security Modules


Like normal kernel modules, security modules extend the basic functionality of the Linux kernel. The need for a modular structure was proposed when SELinux was being introduced. There was a little discussion to use modules or not, as SELinux was the only one being available. Some people proposed apply it as a kernel patch, but in the end Linux creator Torvalds, decided to make this type of functionality modular. The first security module was born.

How it works

Linux security modules are relying on kernel hooks. These fixed pointers in the kernel, or kernel interface, allow an external component to influence the behavior of the kernel. The interesting part of these modules, is that they are restrictive in nature. This means they will lower the privileges someone, or some process, already might have. This is the opposite of tooling like sudo for example, where one actually acquires new privileges.

Common frameworks

SELinux is one of the most known Linux security modules available. This framework uses the approach named MAC, short for mandatory access control. MAC based systems use subjects and objects. Subjects are the “active” participant, like a user or process, where objects are the items to be accessed (e.g. a file). Together you can form a policy, which decides who can do (to) what.


Created by Immunix, AppArmor is a similar MAC based framework as SELinux. Immunix was acquired by Novell, resulting AppArmor to be found on SUSE Linux. AppArmor has been ported to others, like Debian, Gentoo and Ubuntu.

A big difference between is in the way files (objects) are monitored. AppArmor monitors files by path, where SELinux does it by security labels.

Some benefits over SELinux:

  • Considered to be easier in administration
  • File system independent, which means no specific support within the file system is needed (security labels)


  • When creating a hardlink of a file, it may become accessible again (as the inode has changed)
screenshot of apparmor_status command output on Ubuntu

AppArmor status on Ubuntu system

Module configuration

Most Linux security modules can be installed as a package. Depending on the specific distribution you are using, it may be installed by default. For example SELinux is commonly found on Red Hat based systems, where AppArmor is available on SUSE Linux and Ubuntu.

Usually a Linux security module is configured with its own configuration files, while being enabled or disabled via a sysctl value. Others are so small, that they can be tuned via just sysctl. For example the ptrace capabilities on processes via YAMA:

kernel.yama.ptrace_scope = 1

Overview by Year


AppArmor (then SubDomain), used in Immunix Linux


Introduction of SMACK

AppArmor ported to Ubuntu Linux and AppArmor development taken over by Canonical.




One more thing...

Keep learning

So you are interested in Linux security? Join the Linux Security Expert training program, a practical and lab-based training ground. For those who want to become (or stay) a Linux security expert.

See training package

Lynis Enterprise screenshot to help with system hardeningSecurity scanning with Lynis and Lynis Enterprise

Run automated security scans and increase your defenses. Lynis is an open source security tool to perform in-depth audits. It helps with system hardening, vulnerability discovery, and compliance.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.