lsm - Linux Security Modules

Linux Security Modules, such as AppArmor and SELinux, provide an extra level of security controls on a Linux system. They provide Mandatory Access Control (MAC) that checks system activities against security policy. These policies apply to all users, including root.


The STIG requires that SELinux is in enforcing mode to provide additional security against attacks. The security role will enable SELinux on CentOS systems and enable AppArmor on Ubuntu and Debian systems.

STIG requirements

All of the tasks for these STIG requirements are included in tasks/rhel7stig/lsm.yml.


  • Summary: The operating system must enable SELinux.

  • Severity: High

  • Implementation Status: Implemented

Deployer/Auditor notes

The tasks in the security role enable the appropriate Linux Security Module (LSM) for the operating system.

For Ubuntu, openSUSE and SUSE Linux Enterprise 12 systems, AppArmor is installed and enabled. This change takes effect immediately.

For CentOS or Red Hat Enterprise Linux systems, SELinux is enabled (in enforcing mode) and its user tools are automatically installed. If SELinux is not in enforcing mode already, a reboot is required to enable SELinux and relabel the filesystem.


Relabeling a filesystem takes time and the server must be offline for the relabeling to complete. Filesystems with large amounts of files and filesystems on slow disks will cause the relabeling process to take more time.

Deployers can opt out of this change by setting the following Ansible variable:

security_rhel7_enable_linux_security_module: no


  • Summary: All system device files must be correctly labeled to prevent unauthorized modification.

  • Severity: Medium

  • Implementation Status: Implemented - Red Hat Only

Deployer/Auditor notes

The tasks in the security role examine the SELinux contexts on each device file found on the system. Any devices without appropriate labels are printed in the Ansible output.

Deployers should investigate the unlabeled devices and ensure that the correct labels are applied for the class of device.


This change applies only to CentOS or Red Hat Enterprise Linux systems since they rely on SELinux as their default Linux Security Module (LSM). Ubuntu, openSUSE Leap and SUSE Linux Enterprise systems use AppArmor, which uses policy files rather than labels applied to individual files.