selinux VS apparmor

Compare selinux vs apparmor and see what are their differences.

selinux

This is the upstream repository for the Security Enhanced Linux (SELinux) userland libraries and tools. The software provided by this project complements the SELinux features integrated into the Linux kernel and is used by Linux distributions. All bugs and patches should be submitted to [email protected] (by SELinuxProject)
Suggest topics
Source Code
Suggest alternative
Edit details

apparmor

By apparmor
Suggest topics
Source Code
Suggest alternative
Edit details
InfluxDB - Power Real-Time Data Analytics at Scale
Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
www.influxdata.com
featured
SaaSHub - Software Alternatives and Reviews
SaaSHub helps you find the best software and product alternatives
www.saashub.com
featured
selinux apparmor
5 21
1,251 -
0.8% -
9.2 -
27 days ago -
C
GNU General Public License v3.0 or later -
The number of mentions indicates the total number of mentions that we've tracked plus the number of user suggested alternatives.
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.

selinux

Posts with mentions or reviews of selinux. We have used some of these posts to build our list of alternatives and similar projects. The last one was on 2023-02-27.

apparmor

Posts with mentions or reviews of apparmor. We have used some of these posts to build our list of alternatives and similar projects. The last one was on 2023-11-11.
  • Enhancing Service Security with Systemd
    3 projects | dev.to | 11 Nov 2023
    # /etc/systemd/system/nginx.service # Rootless Nginx service based on https://github.com/stephan13360/systemd-services/blob/master/nginx/nginx.service [Unit] # This is from the default nginx.service Description=nginx (hardened rootless) Documentation=https://nginx.org/en/docs/ Documentation=https://github.com/stephan13360/systemd-services/blob/master/nginx/README.md After=network-online.target remote-fs.target nss-lookup.target Wants=network-online.target [Service] # forking is not necessary as `daemon` is turned off in the nginx config Type=exec User=nginx Group=nginx ## can be used e.g. for accessing directory containing SSL certs #SupplementaryGroups=acme # define runtime directory /run/nginx as rootless services can't access /run RuntimeDirectory=nginx # write logs to /var/log/nginx LogsDirectory=nginx # write cache to /var/cache/nginx CacheDirectory=nginx # configuration is in /etc/nginx ConfigurationDirectory=nginx ExecStart=/usr/sbin/nginx -c /etc/nginx/nginx.conf # PID is not necessary here as the service is not forking ExecReload=/usr/sbin/nginx -s reload Restart=on-failure RestartSec=10s # Hardening # hide the entire filesystem tree from the service and also make it read only, requires systemd >=238 TemporaryFileSystem=/:ro # Remount (bind) necessary paths, based on https://gitlab.com/apparmor/apparmor/blob/master/profiles/apparmor.d/abstractions/base, # https://github.com/jelly/apparmor-profiles/blob/master/usr.bin.nginx, # https://www.freedesktop.org/software/systemd/man/systemd.exec.html#RootDirectory= # # This gives access to (probably) necessary system files, allows journald logging BindReadOnlyPaths=/lib/ /lib64/ /usr/lib/ /usr/lib64/ /etc/ld.so.cache /etc/ld.so.conf /etc/ld.so.conf.d/ /etc/bindresvport.blacklist /usr/share/zoneinfo/ /usr/share/locale/ /etc/localtime /usr/share/common-licenses/ /etc/ssl/certs/ /etc/resolv.conf BindReadOnlyPaths=/dev/log /run/systemd/journal/socket /run/systemd/journal/stdout /run/systemd/notify # Additional access to service-specific directories BindReadOnlyPaths=/usr/sbin/nginx BindReadOnlyPaths=/run/ /usr/share/nginx/ PrivateTmp=true PrivateDevices=true ProtectControlGroups=true ProtectKernelModules=true ProtectKernelTunables=true # Network access RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 # Miscellaneous SystemCallArchitectures=native # also implicit because settings like MemoryDenyWriteExecute are set NoNewPrivileges=true MemoryDenyWriteExecute=true ProtectKernelLogs=true LockPersonality=true ProtectHostname=true RemoveIPC=true RestrictSUIDSGID=true ProtectClock=true # Capabilities to bind low ports (80, 443) AmbientCapabilities=CAP_NET_BIND_SERVICE [Install] WantedBy=multi-user.target
  • Restricting access to critical directories to trusted applications?
    1 project | /r/linuxquestions | 10 Jun 2023
  • Is it safe to enable Apparmor on the proxmox host server?
    1 project | /r/Proxmox | 19 May 2023
    root@hive:/usr/lib/apparmor# systemctl status apparmor ● apparmor.service - Load AppArmor profiles Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor preset: enabled) Active: active (exited) since Thu 2023-05-18 19:44:34 EDT; 23h ago Docs: man:apparmor(7) https://gitlab.com/apparmor/apparmor/wikis/home/ Process: 861 ExecStart=/lib/apparmor/apparmor.systemd reload (code=exited, status=0/SU> Main PID: 861 (code=exited, status=0/SUCCESS) CPU: 39ms
  • sandboxed and customizable setup of LoL on Linux
    1 project | /r/leagueoflinux | 9 May 2023
  • Apparmor rules
    3 projects | /r/linuxquestions | 27 Apr 2023
  • Audit backlog limit exceeded every 2-3 minutes and AppArmor issues
    2 projects | /r/openSUSE | 21 Mar 2023
  • Why is OpenSUSE switching to SELinux?
    2 projects | /r/openSUSE | 27 Feb 2023
    I know you made this comment 5 days ago, but: the last two commits were 1 and 3 day ago for me while SELinux is behind at 3 days and 2 weeks for its last two commits, and also has about half as many commits overall. So AppArmor is arguably as alive, if not more, than SELinux.
  • Do I understand how to use apparmor correctly?
    1 project | /r/sysadmin | 16 Feb 2023
    I'm working on doing what I can to secure a hobby VPS running Ubuntu. I've done some reading about apparmor (especially this document) and created a profile for nginx.
  • Void Linux Security Scanners
    1 project | /r/voidlinux | 25 Jan 2023
    Also, I agree that the documentation doesn't seem to be exactly helpful. I'd recommend Wikipedia about what it is (for links to what these terms mean) and its documentation in the project's Wiki.
  • Question to all the linux mint soldiers
    3 projects | /r/linuxmint | 7 Jan 2023
    Learn how to use AppArmor: https://gitlab.com/apparmor/apparmor/-/wikis/Documentation. Enforce its profiles (at least) for internet facing apps.

What are some alternatives?

When comparing selinux and apparmor you can also consider the following projects:

tor - unofficial git repo -- report bugs/issues/pull requests on https://gitlab.torproject.org/ --

bubblewrap - Low-level unprivileged sandboxing tool used by Flatpak and similar projects

nix-deploy - Deploy software or an entire NixOS system configuration to another NixOS system

privacy-respecting - Curated List of Privacy Respecting Services and Software

cef - A Haskell library for CEF (Commont Event Format)

ubuntu-server-nosnap

filepath - Haskell FilePath core library

apparmor-profiles - AppArmor Profiles for Arch Linux

language-puppet - A library to work with Puppet manifests, test them and eventually replace everything ruby.

lxc - High level Haskell bindings to LXC (Linux containers).

selinux-kernel - GitHub mirror of the SELinux kernel repository

selinux vs tor apparmor vs bubblewrap selinux vs nix-deploy apparmor vs privacy-respecting selinux vs cef apparmor vs ubuntu-server-nosnap selinux vs filepath apparmor vs apparmor-profiles selinux vs language-puppet selinux vs lxc selinux vs selinux-kernel