Why does Fedora use selinux rather than apparmor?
What is the reason? And is it possible to use apparmor instead of selinux? Should one wish to do so.
3 Answers
SELinux was the only upstream solution that didn't require patching the kernel when SELinux was made default in Fedora and Red Hat has several developers working on it. Apparmor may be possible but noone has done the work required for good integration. It is not merely a single knob to enable. It requires extensive policy for the applications to continue to work well on an ongoing basis.
You are asking on a Fedora forum, so you are going to get opinions.
Apparmor is easy to learn, but development is incomplete and many profiles have to be written or modified by end users.
Although it takes longer to learn, selinux is much more mature, has much better tools, both graphical and command line, much better documentation, and much better technical support and bug management.
If you want to try apparmor on Fedora you would have to compile a custom kernel and start writing / maintaining apparmor profiles. You could start with existing profiles for templates, but expect breakage.
See also - http://www.cyberciti.biz/tips/selinux...
Checking with Wikipedia, I see that it's quite easy to dodge around apparmor's protections in a way that SELinux blocks. This may be one of the reasons that Fedora doesn't use it, but that's only an educated guess.
Stats
Asked: 2015-10-25 04:30:14 -0600
Seen: 3,116 times
Last updated: Nov 07 '15
I like all answers so I can't vote for just one.
I am not use Selinux but maybe i can make a rpm if you need it ;)
please, please no @davidva. Responsibility for a system level security solution doesn't mean a one-off rpm...