Both SELinux and AppArmor use MAC ( Mandatory Access control ) to control access to resources on a Linux system, where based on rules subjects(processes/users) are allowed to access objects (files, directories, sockets, etc.)
SELinux
Unlike Apparmor, SELinux has Multi-Level Security and Multi-Category Security.
Multi Level Security ( MLS )
controls access based on security level. in multi-level security system, information is classified into different security levels and access is restricted based on these levels. used when strict access control is required.
- subject — users, processes
- objects — files, devices and other passive objects
both subject and object are labeled with security levels. each security level is composed of sensitivity and a category.
to enable MLS in SELinux
change ‘/etc/selinux/config’
SELINUX=permissive
SELINUXTYPE=mls
yum install selinux-policy-mls
setenforce 0
fixfiles -F onboot
Multi Category Security ( MCS )
Allows classification of data into multiple categories. With this you have more granular control over access permissions, Allowing different processes to have different access rights based on specific categories.
purpose of MCS is to maintain data confidentiality on your system.
MCS categories are defined by c0-c103.
when users are assigned to categories, they can label any of their files with any of the categories to which they have assigned.
s0:c0 Marketing
s0:c1 Finance
s0:c2 Payroll
s0:c3 Personnel
s0
s0-s0:c0.c1023 SystemLow-SystemHigh
s0:c0.c1023 SystemHigh
you can modify create new categories by editing the
/etc/selinux/<selinuxpolicy>/setrans.conf
/etc/selinux/targeted/setrans.conf
/etc/selinux/mls/setrans.conf
- In the
targeted
policy, use thes0
security level. - In the
mls
policy, you can label each combination of sensitivity levels and categories.
AppArmor
AppArmor first allows, then restricts access. while SELinux first denies and then allows only to users that present the proper certification.
The main advantage of AppArmor is its simplicity. its far less complex than SELinux.
AppArmor works directly with profiles, which makes it more user friendly than SELinux.
AppArmor has path-based implementation which protects any file on the system even the ones that do not exist yet.
Resources:
https://github.com/SELinuxProject/selinux-notebook