An Introduction Into Linux Security Modules

Background of Linux security modules

Like normal kernel modules, security modules extend the basic functionality of the Linux kernel. The need for a modular structure was proposed when SELinux was being introduced. There was a little discussion to use modules or not, as SELinux was the only one being available. Some people proposed apply it as a kernel patch, but in the end Linux creator Torvalds, decided to make this type of functionality modular. The first security module was born.

How it works

Linux security modules are relying on kernel hooks. These fixed pointers in the kernel, or kernel interface, allow an external component to influence the behavior of the kernel. The interesting part of these modules, is that they are restrictive in nature. This means they will lower the privileges someone, or some process, already might have. This is the opposite of tooling like sudo for example, where one actually acquires new privileges.

Common frameworks

SELinux is one of the most known Linux security modules available. This framework uses the approach named MAC short for mandatory access control. MAC based systems use subjects and objects. Subjects are the “active” participant, like a user or process, where objects are the items to be accessed (e.g. a file). Together you can form a policy, which decides who can do (to) what.


Created by Immunix, AppArmor is a similar MAC based framework as SELinux. Immunix was acquired by Novell, resulting AppArmor to be found on SUSE Linux. AppArmor has been ported to others, like Debian, Gentoo and Ubuntu.

A big difference between is in the way files (objects) are monitored. AppArmor monitors files by path, where SELinux does it by security labels.

Some benefits over SELinux:

  • Considered to be easier in administration
  • File system independent, which means no specific support within the file system is needed (security labels)


  • When creating a hardlink of a file, it may become accessible again (as the inode has changed)

Module configuration

Most Linux security modules can be installed as a package. Depending on the specific distribution you are using, it may be installed by default. For example SELinux is commonly found on Red Hat based systems, where AppArmor is available on SUSE Linux and Ubuntu.

Usually a Linux security module is configured with its own configuration files, while being enabled or disabled via a sysctl value. Others are so small, that they can be tuned via just sysctl. For example the ptrace capabilities on processes via YAMA:

kernel.yama.ptrace_scope = 1

Overview by Year


AppArmor (then SubDomain), used in Immunix Linux


Introduction of SMACK

AppArmor ported to Ubuntu Linux and AppArmor development taken over by Canonical.




Small picture of Michael Boelen

This article has been written by our Linux security expert Michael Boelen. With focus on creating high-quality articles and relevant examples, he wants to improve the field of Linux security. No more web full of copy-pasted blog posts.

Discovered outdated information or have a question? Share your thoughts. Thanks for your contribution!

Mastodon icon