SELinux vs AppArmor: What Are the Differences and Which One Should You Use?

Learn how SELinux and AppArmor work.

Selinux Vs Apparmor

SELinux (short for Security Enhanced Linux) is a Linux kernel security module that is used to increase security in Linux distributions by hardening access to files and processes. Another similar Linux kernel security module used for this purpose is AppArmor. There is much interest in these two modules because of their overlapping roles in access control for Linux operating systems. This article covers the differences between SELinux and AppArmor, allowing users to determine which of these modules is best for their needs through a comparison of features and ease of use.

What Is SELinux?

Securing servers with SELinux does away with dependency on DAC style access based on actual system users and roles. Instead, it introduces a three-string context system for each process or system user. The three strings, namely username, role, and domain, allow for more flexibility and control over system access.

A process can only be allowed in a specific domain through policy configuration in SELinux. The only exception is when a process is launched into an explicitly defined context through the runcon command. However, if conflicting policies exist for such a process already in configuration, SELinux can deny such a transition into another context. That ensures that SELinux works on the principle of denying by default. Any process or user needs to have an explicit access configuration for a file or system resource before accessing it.

SELinux Operations and Commands

As an extension of common utility commands in the terminal, SELinux provides -Z switch, which allows for the display of the security context of the files and processes. Commands such as ps and ls benefit from this switch for quickly debugging or identifying errors in configuration. Below, a screenshot of the ls command is shown.

ls -Z
Selinux Vs Apparmor 1 1

The first part of each output line is the domain, the second is the type of object, and the third is the username in the SELinux configuration. This way, SELinux can provide full control over access to each file and process. The following commands are used to manipulate the context of files and directories.

CommandUsage
chcon -t <Context> <Target File>Change the context of a target file
chcon -R <Context> <Target Directory>Change context of a target directory (this change is recursive)
restorecon -v <Target File>Restore the context of a file to default
restorecon -v -R <Target Directory>Restore the context of a directory to default (this change is recursive)
semanage fcontext -a -t <Context> <REGEX>Set the default context of a directory to be what the REGEX evaluates to

For example, if there is a need to change the context of all the files in the “/srv/web” directory to “httpd_sys_content_t”, the following command can be used:

sudo semanage fcontext -a -t httpd_sys_content_t “/srv/web(/.*)
Selinux Vs Apparmor 2 1

Since this context seen in the screenshot is already defined for the “/srv/web” directory recursively, SELinux displays a message to let the user know. If it is not defined, a successful semanage operation does not show any output.

System administrators and users can enable, disable or make SELinux permissible through the use of the setenforce command. Similarly, to check what the enforcement status is at the moment, users can use the getenforce command as shown in the screenshot below.

Selinux Vs Apparmor 3

What Is AppArmor?

AppArmor is supported in development by Canonical, the parent company that develops the Ubuntu distribution of Linux. AppArmor aims to be simpler and easier to use than SELinux and its profiles are created in the “/etc/apparmor.d/” directory. An AppArmor profile for the “/usr/bin/man” process is shown in the screenshot below.

Selinux Vs Apparmor 4

AppArmor Operations and Commands

To see the status of Apparmor, the aa-status command is used. A sample output of the command is shown below.

Selinux Vs Apparmor 5

AppArmor profiles can be listed by the directory contents of “/etc/apparmor.d/”, as shown below.

Selinux Vs Apparmor 6

From the above list of profiles, if a user wants to disable the usr.bin.man profile, they can use the following command:

sudo aa-complain /usr/bin/man

Note that a disabled profile is located in the disable subdirectory of the main AppArmor profiles directory. To re-enable a profile that has been disabled, the following command is used:

sudo aa-enforce /usr/bin/man

Ease of Use Between SELinux and AppArmor

AppArmor works with file paths in the filesystem instead of working with strings for each file like SELinux does. One advantage of AppArmor is that the read, write, lock and other file operations are easier to set up than in SELinux. On the other hand, while SELinux provides more features for file access control, the features are implemented at a much lower level in the system.

Therefore, users have to learn how to use mknod, network sockets, and other system operations to work with SELinux. For everyone who is not a system administrator, it is much easier to learn how to use AppArmor.

AppArmor also provides a learning mode that is used for logging violations of access control. This mode does not restrict or prevent access in case of a violation, instead collecting data over time to enable the creation of a separate AppArmor profile based on the behavior of programs for each recorded access infraction. There is no similar mode available in SELinux.

Frequently Asked Questions

What Linux distributions are preinstalled with SELinux and AppArmor?

All the Linux distributions under the umbrella of RedHat come preinstalled with or offer a setup of SELinux, including RHEL, CentOS, and Fedora. AppArmor is preinstalled on Debian, Ubuntu, their derivative distributions, SUSE Enterprise Server and OpenSUSE distributions.

Which security module is the best for a new Linux user?

Most major Linux distributions come with either of the security modules installed by default. Therefore, it is unlikely for a new Linux user not to have a security module out of the box. Comparison of features and ease of use between SELinux and AppArmor show that for power users or system administrators who want finer control over their operating system, SELinux is best, but for everyone else, AppArmor is the better choice.

Are SELinux and AppArmor alternatives to firewalls, antiviruses, and other user or data safety software?

SELinux and AppArmor are not alternatives to antiviruses or well-configured firewalls for system security and data integrity. Therefore, it’s recommended to complement your system with an antivirus program for better protection of data.

Image credits: AppArmor’s Wiki Page and SELinux’s Wiki Page. All screenshots by Zeeman Memon.

Subscribe to our newsletter!

Our latest tutorials delivered straight to your inbox