Standard Linux permissions (chmod/chown) are "Discretionary Access Control". If a user owns a file, they can do anything to it. If a hacker takes over the Apache web server process (running as `www-data`), they can read any file `www-data` has access to. SELinux (Security Enhanced Linux) changes this. It uses "Mandatory Access Control".
The Concept: Type Enforcement
In SELinux, everything has a label.
- Apache process: `httpd_t`
- Web files: `httpd_sys_content_t`
- Password file: `shadow_t`
The policy says: "Processes labeled `httpd_t` can only read files labeled `httpd_sys_content_t`."
Even if the filesystem permissions say `www-data` can read `/etc/shadow`, SELinux blocks it because the LABELS don't match.
1. AppArmor (Ubuntu/Debian)
SELinux is powerful but complex (Fedora/RHEL). AppArmor is the user-friendly alternative.
It works on "Paths" instead of "Labels".
Profile for `/usr/sbin/nginx`:
- Read `/var/www/html/**`
- Deny `/etc/shadow`
It is enabled by default on Ubuntu.
2. Troubleshooting
When an app breaks, check the logs before disabling security!
grep "AVC" /var/log/audit/audit.log (SELinux)
dmesg | grep AppArmor
You can then use `audit2allow` to automatically generate a rule that permits the blocked action.