Runbook

SELinux or AppArmor Policy Violations Incident

Overview

This incident type refers to the violation of the security policies implemented by SELinux or AppArmor on a system. SELinux and AppArmor are both security modules that enforce mandatory access control policies on a Linux system. These policies determine which processes can access which resources on the system, and can prevent unauthorized access or tampering. Violations of these policies can result in security breaches, system instability, and potentially harmful consequences.

Parameters

Debug

Check if SELinux is enabled

Check SELinux logs for policy violations

List SELinux context of files and directories

Temporarily disable SELinux

Check if AppArmor is enabled

Check AppArmor logs for policy violations

List AppArmor profile for a process

Temporarily disable AppArmor for a process

Repair

Disable SELinux or AppArmor: This is not the best solution, but in some cases, disabling SELinux or AppArmor could be a quick fix to the incident. However, this is not recommended as it could compromise the security of the system.

Learn more

Related Runbooks

Check out these related runbooks to help you debug and resolve similar issues.