App Armor vs SELinux vs .... The ultimate battle.

Joshua Marsh joshua at themarshians.com
Thu Feb 6 23:07:45 MST 2014


On Thu, Feb 6, 2014 at 9:34 PM, S. Dale Morrey <sdalemorrey at gmail.com>wrote:

> So is App Armor really an alternative to SELinux?


Yes. It works slightly differently, but it does essentially the same thing:
keep your applications from doing things they shouldn't.


> If so, kudos to the devs
> it stays the heck out my way well enough that I've never even bothered to
> look it up to see what it does.
>
>
This is due to some differences between SELinux and AppArmor. With
AppArmor, you give it profiles for specific applications. If an application
doesn't have a profile, AppArmor doesn't control it. I believe in SELinux
this is *sort of* like targeted mode.


> Are there any other alternatives?
>

I believe the accepted LSMs are SELinux, AppArmor, TOMOYO, and Smack. I'm
only familiar with AppArmor and slightly familiar with SELinux. I played
with TOMOYO, but only briefly over a weekend.


>
> What are the strengths and weaknesses of each?


For me, the biggest strength of AppArmor is the creation of policies. It's
fairly easy to read configuration files in /etc/apparmor.d. I can whip one
up for my programs in just a few minutes.

One commonly listed strength for SELinux is that it has finer-grained
control. I've never done anything complicated with AppArmor so I haven't
run into an issue.

Here is a basic comparison of the two:
http://www.cyberciti.biz/tips/selinux-vs-apparmor-vs-grsecurity.html.
Spoiler alert: they are basically the same, one is easier to configure and
the other gives you more knobs to turn.


>  Other than being "what my
> distro shipped with and or familiarity"  What would be the advantages or
> disadvantages of each?
>
>
The distro thing is actually a big deal for LSMs in my opinion. RedHat,
Ubuntu, and SUSE have spent a lot of time developing policies for common
applications. If you don't use the standard LSM for that distro you may
have to do a lot of that work yourself.


More information about the PLUG mailing list