Why does Fedora use selinux rather than apparmor?
What is the reason? And is it possible to use apparmor instead of selinux? Should one wish to do so.
What is the reason? And is it possible to use apparmor instead of selinux? Should one wish to do so.
SELinux was the only upstream solution that didn't require patching the kernel when SELinux was made default in Fedora and Red Hat has several developers working on it. Apparmor may be possible but noone has done the work required for good integration. It is not merely a single knob to enable. It requires extensive policy for the applications to continue to work well on an ongoing basis.
You are asking on a Fedora forum, so you are going to get opinions.
Apparmor is easy to learn, but development is incomplete and many profiles have to be written or modified by end users.
Although it takes longer to learn, selinux is much more mature, has much better tools, both graphical and command line, much better documentation, and much better technical support and bug management.
If you want to try apparmor on Fedora you would have to compile a custom kernel and start writing / maintaining apparmor profiles. You could start with existing profiles for templates, but expect breakage.
See also - http://www.cyberciti.biz/tips/selinux...
Checking with Wikipedia, I see that it's quite easy to dodge around apparmor's protections in a way that SELinux blocks. This may be one of the reasons that Fedora doesn't use it, but that's only an educated guess.
Asked: 2015-10-25 04:30:14 -0600
Seen: 3,116 times
Last updated: Nov 07 '15
What security contexts need to change to allow phpBB to write to directories.
Allow only trusted applications to access private data
Tips for Fedora newbies concerning SELinux (concept and tools)!
How can I copy Fedora instance to different machine with SELinux enforcing
SELinux AVC denial after a hitched update
How change SELinux context for postfix file on Fedora 20
qemu user session shared filesystem
Why is a user hassled so much while registering a new fedora account?
I like all answers so I can't vote for just one.
I am not use Selinux but maybe i can make a rpm if you need it ;)
please, please no @davidva. Responsibility for a system level security solution doesn't mean a one-off rpm...