SELinux and AppArmor have been around for many years, but are still essential for maintaining a secure Linux environment. This article will cover how to set them up and troubleshoot these mandatory access control (MAC) frameworks. Even if they seem overwhelming at first, learning how they work and how to manage them is an important step… continue reading.
Thanks for asking! I missed mentioning any of that.
For Debian/Ubuntu and *SUSE, AppArmor is the way to go as it’s the system default and well integrated. For RHEL and derivatives they default to SELinux .
For Arch, SELinux is possible, but not commonly used because of the complexity of setup and maintenance. AppArmor is easier to config, but most Arch users (not a popular distro for servers) rely on traditional DAC (Discretionary Access Control) security instead of MAC (Mandatory Access Control) frameworks.
If you’re running a server and require serious security, SELinux is worth considering. For desktops and workstations, AppArmor is more practical.
Really good article, took me down some rabbit holes you did have one error in the command for Deb/Unbun, it’s apt install <program> -y not apt-get, that command has been “depreciated” and used mostly for scripting purposes now. Also AppArmor comes installed on Debian when you install it. You can verify it’s running by putting systemctl status apparmor.
You also didn’t mention the Debian Administrators handbookwhich has a great section on AppArmor. Or the Debian project’s home page which has a great search function that points you to Chapter 14 of the Debian Administrators guide. which has most of the answers on setting up a Debian based system. and of course there’s always man apparmor for any distro worth a darn.
On Linux Mint I have been running AppArmor for a few years, and it has been problem free.
Initially, I wanted to add an additional MAC sandbox for Firefox, and it never caused any issues with Firefox. The audit log showed a little log noise, but I have never attributed any Firefox issue directly to AppArmor.
A few years later, Ubuntu switched Firefox from a Debian package to Snap. I think Ubuntu provides the AppArmor profiles inherited by Linux Mint because the Snap conversion was when I lost the Firefox AppArmor profile in Linux Mint. I have not verified this, but Ubuntu probably created a new AppArmor profile for their Snap installation of Firefox. Perhaps Snap has its own sandboxing, but I do not know. I say all this to point out that you may find that popular AppArmor profiles are removed with little to no warning.
I have generated a few basic AppArmor profiles for console applications, but I did not want to tackle creating an AppArmor profile for something as complicated as Firefox. I considered borrowing Debian’s AppArmor profile for Firefox to use in Linux Mint, but I figured that would probably not end well. After significant research and not finding an easy AppArmor way to move forward, I found Firejail. Firejail provides a profile for Firefox, and that has worked well. Technically, from what I have read, Firejail combines with AppArmor to create restrictions for Firefox.
Long story short, if you cannot find an AppArmor profile for an application, and you do not want to tackle generating your own profile, consider Firejail.
You’re spot on regarding Ubuntu’s shift to Snap affecting AppArmor profiles, especially for high-profile packages like Firefox.
The Snap sandboxing system is separate from traditional AppArmor enforcement, and it indeed ships with its own AppArmor confinement rules that are often opaque to end users on downstream distros like Linux Mint. So unless you’re manually maintaining your own AppArmor profiles, once a package becomes a Snap, the original profile can silently disappear—exactly as you observed.
And yes, for anyone hesitant to hand-roll AppArmor profiles (especially for something as complex as a browser), Firejail is a practical and approachable fallback.
you did have one error in the command for Deb/Unbun, it’s