App Armor vs SELinux vs .... The ultimate battle.

Joshua Marsh joshua at
Thu Feb 6 23:07:45 MST 2014

On Thu, Feb 6, 2014 at 9:34 PM, S. Dale Morrey <sdalemorrey at>wrote:

> So is App Armor really an alternative to SELinux?

Yes. It works slightly differently, but it does essentially the same thing:
keep your applications from doing things they shouldn't.

> If so, kudos to the devs
> it stays the heck out my way well enough that I've never even bothered to
> look it up to see what it does.
This is due to some differences between SELinux and AppArmor. With
AppArmor, you give it profiles for specific applications. If an application
doesn't have a profile, AppArmor doesn't control it. I believe in SELinux
this is *sort of* like targeted mode.

> Are there any other alternatives?

I believe the accepted LSMs are SELinux, AppArmor, TOMOYO, and Smack. I'm
only familiar with AppArmor and slightly familiar with SELinux. I played
with TOMOYO, but only briefly over a weekend.

> What are the strengths and weaknesses of each?

For me, the biggest strength of AppArmor is the creation of policies. It's
fairly easy to read configuration files in /etc/apparmor.d. I can whip one
up for my programs in just a few minutes.

One commonly listed strength for SELinux is that it has finer-grained
control. I've never done anything complicated with AppArmor so I haven't
run into an issue.

Here is a basic comparison of the two:
Spoiler alert: they are basically the same, one is easier to configure and
the other gives you more knobs to turn.

>  Other than being "what my
> distro shipped with and or familiarity"  What would be the advantages or
> disadvantages of each?
The distro thing is actually a big deal for LSMs in my opinion. RedHat,
Ubuntu, and SUSE have spent a lot of time developing policies for common
applications. If you don't use the standard LSM for that distro you may
have to do a lot of that work yourself.

More information about the PLUG mailing list