Ask Your Question

Why does Fedora use selinux rather than apparmor?

asked 2015-10-25 04:30:14 -0500

Ervin-Reloaded gravatar image

updated 2015-11-10 22:26:23 -0500

mether gravatar image

What is the reason? And is it possible to use apparmor instead of selinux? Should one wish to do so.

edit retag flag offensive close merge delete


I like all answers so I can't vote for just one.

Ervin-Reloaded gravatar imageErvin-Reloaded ( 2015-11-07 08:11:25 -0500 )edit

I am not use Selinux but maybe i can make a rpm if you need it ;)

davidva gravatar imagedavidva ( 2015-11-07 10:41:15 -0500 )edit

please, please no @davidva. Responsibility for a system level security solution doesn't mean a one-off rpm...

randomuser gravatar imagerandomuser ( 2015-11-07 12:53:53 -0500 )edit

3 Answers

Sort by ยป oldest newest most voted

answered 2015-10-25 20:35:26 -0500

mether gravatar image

SELinux was the only upstream solution that didn't require patching the kernel when SELinux was made default in Fedora and Red Hat has several developers working on it. Apparmor may be possible but noone has done the work required for good integration. It is not merely a single knob to enable. It requires extensive policy for the applications to continue to work well on an ongoing basis.

edit flag offensive delete link more

answered 2015-10-26 11:05:29 -0500

You are asking on a Fedora forum, so you are going to get opinions.

Apparmor is easy to learn, but development is incomplete and many profiles have to be written or modified by end users.

Although it takes longer to learn, selinux is much more mature, has much better tools, both graphical and command line, much better documentation, and much better technical support and bug management.

If you want to try apparmor on Fedora you would have to compile a custom kernel and start writing / maintaining apparmor profiles. You could start with existing profiles for templates, but expect breakage.

See also -

edit flag offensive delete link more

answered 2015-10-26 14:42:59 -0500

sideburns gravatar image

Checking with Wikipedia, I see that it's quite easy to dodge around apparmor's protections in a way that SELinux blocks. This may be one of the reasons that Fedora doesn't use it, but that's only an educated guess.

edit flag offensive delete link more

Question Tools

1 follower


Asked: 2015-10-25 04:30:14 -0500

Seen: 3,344 times

Last updated: Nov 07 '15