LSM: Linux Kernel Security Modules.

Inserts hooks at every point in the kernel where a user can conduct a system call to import kernel objects.

DAC: Discretionary Access Control : Default linux permissions MAC: Mandatory Access Control


Is an LSM that allows the user to restrict programs with the use of a profile specifiv to that application. These profiles are designed to delegate capabilities that include sockets, network access, file access and more.

Provides MAC on top of DAC

Enabling apparmor

#: /boot/syslinux/syslinux.cfg 

APPEND apparmor=1 security=apparmor

Comes with sane defaults and have profiles for certain applications

Useful links


Defines the access and transition rights of every user, application, process and file on the system.


  • A process will perform an action request. (eg:to read a file)
  • THe request is pushed to the SELinux security server
  • The security server checks an Access Vector Cache (AVC) that stores subject and object permissions.
  • If request not found therem it will consult the SELinux Policy Database.
  • If the policy is found, It makes a decision of Yes or No for the access request.
  • If yes, the object requested is returned. Else an AVC denied message is generated and the object is not returned

Useful links


Uses linux namespaces in conjunction with seccomp-bpf to restrict the running enviornment of the application.

It comes with security profiles for a lot of applications in /etc/firejail.