SELinux and AppArmor Comparison

Deployment

SELinux requires the implementation of MAC using labeled security, a tag is placed on each application and file to determine security levels. This is a difficult process to learn, analyze and implement. The implementation is only a problem if you develop your own security settings. This process takes considerable time and energy to make happen. SELinux only works with file systems with extended attributes. If you use a backup program like tar, it is not aware of the extended tags and therefore will damage the restore.

AppArmor is named based so there is no need to relabel the file system. AppArmor works with any file system. At least this initially makes it easier to understand.

Ease of Use

SELinux requires command line tools that require special skills and experience. SELinux in RHEL 5 or Centos 5 now have a tool in the graphical interface to help manage problems.

AppArmor is easier to use. Since it is name based the fundamental understanding of what you are working with is established immediately. The policies are readable. If you want to protect an application you do not need to modify the application. AppArmor uses syntax that is common among all Linux users. However, creating a profile for all of the applications that you use will be very time consuming and just as difficult in the end as SELinux. The real key is to get access to a group of profiles that have already been created and tested. Then AppArmor is an easier process. One word of caution, be very careful on the source of these pre-created profiles.  For an article on the Ubuntu 8.04 Server and AppArmor, Click Here.

Speed and Resources

Novell suggests that AppArmor has an overhead of 0-2% with SELinux being closer to 7%. I am not able to verify these numbers so take them for what they are worth.

Web Servers

SELInux provides higher security in that it contexts may only be changed when a process exec occurs. This means that PHP are forced to run as Apache.

AppArmor works best with Apache 2.0.x or better and you are able to restrict individual processes in sub confinement. In other words, you are able to issue individual policies for each of the processes running inside of Apache.

Summary

AppArmor is easier to work with when you desire is to protect a few applications that you have. To say that it does not require special skills is to stretch things a bit as most users will have no understanding of how or why they need to implement AppArmor. Since all of the current tools for Ubuntu are from the command line few users will implement it.  Also, even in the Ubuntu 8.04 Hardy Heron the only profile enabled is for cups printing so you really have no protection by default.  For an article on the Ubuntu 8.04 Server and AppArmor, Click Here.

With SELinux the problem is not implementing the option, that is a one click option. The problem with SELinux is management. Desktop users especially will not take the steps to develop the skills for SELinux management. In fact, most administrators that I have talked with simply turn it off because of the management issues.

In conclusion, even for administrators who run servers, it takes too much time and energy to implement and manage either solution to be realistic. However, for the security conscious with a few applications they want to protect AppArmor is the solution. Those wanting to protect an entire server will find that SELinux is a better solution.