Introduction
Linux systems rely on Mandatory Access Control (MAC) frameworks to enforce granular security policies beyond traditional file permissions. SELinux (Security-Enhanced Linux) and AppArmor are the two dominant MAC solutions. This guide compares their philosophies, strengths, and configuration workflows to help you choose the right tool for your environment.
1. Core Philosophy Comparison
| Feature | SELinux | AppArmor |
|---|---|---|
| Approach | Label-based (Contexts) | Path-based (Profiles) |
| Policy Granularity | System-wide (users, roles, types) | Per-application (executable paths) |
| Complexity | Steeper learning curve | Simpler syntax |
| Default Policy Source | Reference Policy (strict rules) | Profiles included with applications |
| Primary Distros | RHEL, Fedora, CentOS, Rocky Linux | Ubuntu, Debian, openSUSE |
Key Insight:
SELinux assigns security contexts (e.g., system_u:object_r:httpd_t:s0) to all system objects (files, processes). AppArmor uses path-specific profiles (e.g., /usr/sbin/nginx { … }) to define allowed actions.
2. Policy Management Workflow
SELinux Configuration
Core Commands:
- Check status:
sestatus - Change mode (Enforcing/Permissive/Disabled):
setenforce [0|1]- Persistent mode change: Edit
/etc/selinux/config
- Persistent mode change: Edit
- View context labels:
ls -Z - Modify file context:
chcon -t httpd_sys_content_t /path/to/file - Restore default contexts:
restorecon -Rv /path - Troubleshoot denials:
ausearch -m avc -ts recent
Creating Custom Rules:
- Generate audit log:
grep AVC /var/log/audit/audit.log - Generate policy module:
audit2allow -a -M mypolicy # Analyzes denials semodule -i mypolicy.pp # Installs module
AppArmor Configuration
Core Commands:
- Check status:
apparmor_status - Reload profiles:
systemctl reload apparmor - Disable profile:
aa-disable /path/to/binary - Enter complain mode (log without blocking):
aa-complain /path/to/binary
Creating Custom Profiles:
- Start with audit mode:
aa-genprof /path/to/binary # Generates template profile - Trigger application actions to log access needs.
- Update profile with allowed paths/capabilities:
/usr/bin/example { capability dac_override, /etc/config.conf r, /var/log/example.log w, } - Enforce profile:
aa-enforce /path/to/binary
3. When to Choose Which?
-
Choose SELinux If:
- You need granular control over users, roles, and network ports.
- Your environment handles highly sensitive data (e.g., government, finance).
- You’re using RHEL-family distributions.
-
Choose AppArmor If:
- You prioritize simplicity and faster policy creation.
- Your focus is restricting specific applications (e.g., web servers).
- You use Ubuntu/Debian.
4. Troubleshooting Tips
- SELinux Denials?
- Temporarily set to Permissive:
setenforce 0 - Use
sealert(installsetroubleshoot) to analyze logs.
- Temporarily set to Permissive:
- AppArmor Blocks?
- Check
/var/log/syslogforapparmor="DENIED"entries. - Use
aa-logprofto refine profiles interactively.
- Check
5. Conclusion
Both SELinux and AppArmor provide robust security layers against zero-day exploits and misconfigured applications. While SELinux offers deeper system-wide control, AppArmor’s path-based profiles simplify policy management. For most applications, AppArmor is easier to adopt, but SELinux remains indispensable in high-security environments. Start with your distro’s default tool, run in complain/permissive mode initially, and gradually build custom policies.
Final Recommendation:
- Servers: SELinux (RHEL) / AppArmor (Ubuntu)
- Containers: AppArmor (simpler to integrate with Docker/Podman)
> 💡 Pro Tip: Never disable either entirely! Use permissive modes for debugging instead.