SELinux and AppArmor have been around for many years, but are still essential for maintaining a secure Linux environment. This article will cover how to set them up and troubleshoot these mandatory access control (MAC) frameworks. Even if they seem overwhelming at first, learning how they work and how to manage them is an important step… continue reading.
SELinux and AppArmor have been around for many years, but are still essential for maintaining a secure Linux environment. This article will cover how to set them up and troubleshoot these mandatory access control (MAC) frameworks. Even if they seem overwhelming at first, learning how they work and how to manage them is an important step… continue reading.
What would you recommend for Debian/Ubuntu and Arch? AppArmor or SELinux?
Thanks for asking! I missed mentioning any of that.
For Debian/Ubuntu and *SUSE, AppArmor is the way to go as it’s the system default and well integrated. For RHEL and derivatives they default to SELinux .
For Arch, SELinux is possible, but not commonly used because of the complexity of setup and maintenance. AppArmor is easier to config, but most Arch users (not a popular distro for servers) rely on traditional DAC (Discretionary Access Control) security instead of MAC (Mandatory Access Control) frameworks.
If you’re running a server and require serious security, SELinux is worth considering. For desktops and workstations, AppArmor is more practical.
Also see:
Thank you @hydn. Really interesting and good to know.
A few days ago I got a VPS again and decided to use Ubuntu (I had Fedora, Debian, Rocky Linux, openSUSE and Alma Linux to choose from).
I have no idea what exactly I want to do productively with it, but I want to make it as secure as possible.
Really good article, took me down some rabbit holes you did have one error in the command for Deb/Unbun, it’s
apt install <program> -y
not apt-get, that command has been “depreciated” and used mostly for scripting purposes now. Also AppArmor comes installed on Debian when you install it. You can verify it’s running by putting systemctl status apparmor
.
You also didn’t mention the Debian Administrators handbookwhich has a great section on AppArmor. Or the Debian project’s home page which has a great search function that points you to Chapter 14 of the Debian Administrators guide. which has most of the answers on setting up a Debian based system. and of course there’s always man apparmor
for any distro worth a darn.