Core Differences Between SELinux and AppArmor

1. Overview

The Linux kernel contains several built-in security systems that help ensure the safety of devices running it. Two subsystems were created specifically for this purpose. These subsystems, otherwise referred to as security modules, are SELinux and AppArmor.

By and large, SELinux and AppArmor enable us to achieve the same goals. However, many factors distinguish then from each other.

In this tutorial, we’ll have a detailed discussion on the core differences between SELinux and AppArmor. Before that, let’s have a brief introduction to each of them.

2. Introduction to SELinux

SELinux (Security-Enhanced Linux) is a security module that applies MAC (Mandatory Access Control) to Linux operating systems. MAC is a policy-based framework that establishes and enforces rules for users and processes when it comes to accessing files, directories, ports, and other resources.

SELinux makes use of labels to implement a security context for different processes and resources. Once an access request is made, SELinux compares these labels to a list of policies to decide whether to grant or deny that particular request.

3. Introduction to AppArmor

AppArmor (Application Armor) is another security module that carries the responsibility of applying MAC to Linux operating systems. It utilizes profiles to create and enforce rules on processes and resources.

Profiles are files that define the set of restrictions and permissions for processes and applications that try to access files, directories, ports, and other resources. Using these profiles, AppArmor can limit the privileges of different applications and processes to prevent unauthorized access to the resources of a device.

4. Core Differences Between SELinux and AppArmor

After getting to know each one separately, we can have a look at the core differences between SELinux and AppArmor. Let’s go through each aspect one by one.

4.1. Access Control

In terms of controlling the access of users and processes to essential resources, SELinux utilizes security policies that are based on file labels.

On the other hand, AppArmor makes use of security policies that are dependent on paths.

4.2. Security Schemes

SELinux and AppArmor have different choices when it comes to security schemes. Before knowing their preferences, let’s learn about the security schemes that we’re talking about in this section:

• MLS (Multi-Level Security)
• MCS (Multi-Category Security)

MLS is a security scheme that works with subjects and objects, where subjects include users and processes, while objects include files, ports, and other components. These subjects and objects are assigned a level of security that indicates a subject’s authorization or an object’s categorization.

MCS is another security scheme that also works with subjects and objects. However, it makes use of categories that are assigned to subjects and attached to objects.

When it comes down to preferences, SELinux utilizes both MLS and MCS. On the contrary, AppArmor doesn’t use either. Rather, AppArmor uses type enforcement which defines whether a process running with a particular type can get access to a file that’s labeled with a specific type.

4.3. Components

SELinux and AppArmor are built on a variety of key components.

First, let’s learn about the six key components that SELinux includes:

• Subjects: users and processes that are trying to access resources
• Objects: resources such as files, ports, and sockets
• SELinux Policy Database: the database that includes security policies to be enforced
• Kernel Module: the module that acts as the backbone for SELinux
• Security Server: the server that makes decisions according to security policies
• Access Vector Cache: the cache that stores the decisions made by the security server

Now, let’s check the three main components that comprise AppArmor:

• Optimizer: a tool that logs and collects events
• Profile Generator: performs a thorough analysis of an application to set up a profile template
• Server Analyzer: analyzes ports and makes a list of applications that are listening to them

We can see that there are common sections, but the overall structure of the two security implementations is fairly different.

4.4. Policies

There are two types of policies that SELinux implements on a system:

• MLS
• targeted: default policy for controlling access to a targeted process

On the other hand, AppArmor also uses two types of policies:

• capabilities: determine the privileges that a restricted process can access
• paths: decide the files that a particular process or an application can access

Now, let’s move on to the last aspect of the comparison.

4.5. Control Modes

SELinux comes with three control modes:

• permissive: the mode in which the system logs all the activities but doesn’t deny them
• enforcing: the default mode that implements security policies across the system
• disabled: the mode in which SELinux is inactive on the system

In the case of AppArmor, there are two control modes:

• complain: the mode in which violations of security policies are only logged
• enforce: the mode in which AppArmor enforces security policies across the system

Evidently, SELinux and AppArmor are different in terms of control modes as well.

5. Conclusion

In this article, we discussed the core differences between SELinux and AppArmor.

First, we learned what both implementations are and how they work. Then, we went through some key aspects in which these security modules diverge and discussed their underlying differences. In general, both SELinux and AppArmor stand out as great security modules in unique ways.