Due to the recent CVE discovered in apparmor Nine critical vulnerabilities in Linux AppArmor put over 12M enterprise systems at risk | CSO Online and due to the discussion i had with @wafmtjwadllc i think we should replace apparmor by SElinux
This is why i started to learn SElinux syntax , policies etc…
I ended up with this small SElinux policies
(deny domain proc_t (file (read write open getattr)))
(deny domain machineid_t (file (read write open getattr)))
This deny read and write access to anyone , any process in the system including root users itself to get the machine-id, proc information of the system and to modify them
To be clear no one , no malware will be able to get, modify your machine-id and proc information.
If you want to setup SElinux quickly to test the policy yourself go to my post Anonymize hostname hardened template automatic installation of browser to get the salt command
and pick one of .sls files here
This should take 2-3 minutes to install. Or you can also manually do it yourself by following this post How to install & activate SELinux on minimal fedora templates?
Once done create a “.cil” file in the vm by doing
nano a.cil
Then put inside the .cil
(deny domain proc_t (file (read write open getattr)))
(deny domain machineid_t (file (read write open getattr)))
Then do :
sudo semodule -i *.cil
Now if you do as sudo cat /etc/machine-id you will get "Permission denied" like in the screenshot and if you try to edit the machine-id and write data there you will get a Permission denied even as sudo.
I think SElinux is far more better than Apparmor because we can deny access to any root filesystem or home directory. Example we can easily deny access to anyone in the system to get your ssh key or gpg key.
But it’s very very complicated to understand how it’s works. But i think it’s worth the effort. To learn so i will stop creating apparmor profile. And i will focus on SElinux instead.
I don’t know yet what i will do with those apparmor profile i will probably move them to a another repository you will still be able to use them.
Also i tried to setup SElinux on debian by following this guide How to install & activate SELinux on minimal fedora templates? but it didn’t work at all. That’s only work for fedora. If anyone has find a way to enable SElinux for Debian please create a Qubes forum post to explain how you did that.