SELinux vs AppArmor

https://www.maketecheasier.com/selinux-vs-apparmor/

Both SELinux and AppArmor use MAC ( Mandatory Access control ) to control access to resources on a Linux system, where based on rules subjects(processes/users) are allowed to access objects (files, directories, sockets, etc.)

SELinux

Unlike Apparmor, SELinux has Multi-Level Security and Multi-Category Security.

Multi Level Security ( MLS )

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/mls

controls access based on security level. in multi-level security system, information is classified into different security levels and access is restricted based on these levels. used when strict access control is required.

• subject — users, processes
• objects — files, devices and other passive objects

both subject and object are labeled with security levels. each security level is composed of sensitivity and a category.

to enable MLS in SELinux

change ‘/etc/selinux/config’

SELINUX=permissive
SELINUXTYPE=mls

yum install selinux-policy-mls
setenforce 0
fixfiles -F onboot

Multi Category Security ( MCS )

Allows classification of data into multiple categories. With this you have more granular control over access permissions, Allowing different processes to have different access rights based on specific categories.

purpose of MCS is to maintain data confidentiality on your system.

MCS categories are defined by c0-c103.

when users are assigned to categories, they can label any of their files with any of the categories to which they have assigned.

s0:c0                          Marketing
s0:c1                          Finance
s0:c2                          Payroll
s0:c3                          Personnel
s0
s0-s0:c0.c1023                 SystemLow-SystemHigh
s0:c0.c1023                    SystemHigh

you can modify create new categories by editing the

/etc/selinux/<selinuxpolicy>/setrans.conf
/etc/selinux/targeted/setrans.conf
/etc/selinux/mls/setrans.conf

• In the targeted policy, use the s0 security level.
• In the mls policy, you can label each combination of sensitivity levels and categories.

https://github.com/SELinuxProject/selinux-notebook/blob/main/src/images/8-security-levels.png

AppArmor

AppArmor first allows, then restricts access. while SELinux first denies and then allows only to users that present the proper certification.

The main advantage of AppArmor is its simplicity. its far less complex than SELinux.

AppArmor works directly with profiles, which makes it more user friendly than SELinux.

AppArmor has path-based implementation which protects any file on the system even the ones that do not exist yet.

Resources:

https://github.com/SELinuxProject/selinux-notebook

AppArmor vs. SELinux: Comprehensive Comparison

Chapter 7. Using Multi-Category Security (MCS) for data confidentiality Red Hat Enterprise Linux 8…

Technologies for container isolation: A comparison of AppArmor and SELinux

Chapter 6. Using Multi-Level Security (MLS) Red Hat Enterprise Linux 8 | Red Hat Customer Portal