Comments on: Linux Kernel Security (SELinux vs AppArmor vs Grsecurity)

By: batou

batou — Thu, 04 Aug 2011 20:28:13 +0000

Bad, bad article – things are messed up. AppArmor (as now used in Ubuntu say 10.04, 10.10) is the easiest tool – but least powerful, and GrSecurity is the very strong but probably harder to start with tool – for geek admins, not for random Ubuntu user that just starts with linux.. ;)
Also what others said – AppArmor is path based and SELinux is notable for labelling, actually SELinux probably IS the most common example of needing labeling…

By: Dave Keays

Dave Keays — Thu, 21 Jul 2011 06:18:40 +0000

“Pathname based system does not require labelling or relabelling filesystem”
I’ve only lightly played with SELinux and your comparison chart really threw a curve at me. Until I read the comments I was wondering what was wrong with my installation.

By: Wannabe

Wannabe — Wed, 01 Jun 2011 13:48:58 +0000

Thanks for the great comparison. I’d also like to agree with the previous posters that in the table the last row (“Feature”) has the SELinux and AppArmor fields flipped. Otherwise, nice work!

By: Doofy

Doofy — Sat, 08 Jan 2011 12:50:28 +0000

Hi,
Please revise the last row in your comparison table.
I think apparmor is path based and selinux is lable based.

By: Georgi Kolev

Georgi Kolev — Fri, 19 Nov 2010 11:54:00 +0000

Nice article :)
p.s.: Slackware dosn’t include SELinux (or AppArmor / grsecurity ).

By: Andrea

Andrea — Thu, 02 Sep 2010 09:32:56 +0000

there is an error in the Feature table:

SELinux attaches labels to all files, processes and objects and not AppArmor…

By: szymon_g

szymon_g — Wed, 21 Apr 2010 00:09:42 +0000

nice site, but I would add some information:
1. Apparmor- this project is dead. Novell fired AA developers in Oct 2007. OpenSUSE is prepared for shipping with SELinux (although it doesn’t have workable policies, unlike Fedora)- base programs and libraries are installed, common userland apps are patched etc.
2. Grsecurity (incl. PaX) is much more than ‘traditional’ MAC – it also offers memory protection, ASLR etc
3. Where is TOMOYO? it was included in 2.6.30, it offers better security (if configured properly) than AA (but less than SELinux); its really nice for use (offers ‘learning mode’, human-readable policies, works fine with updates of system /libraries etc/

By: anon

anon — Wed, 03 Mar 2010 05:09:22 +0000

selinux has 7% + overhead… some benchmarks on some tasks like network intensive show overhead of 16%. Google “selinux overhead” for plenty of links.

@miker,
yep, he mixed up the entries in his table, but apparently doesn’t care.

By: duck

duck — Thu, 18 Feb 2010 18:15:24 +0000

Oh and http://www.grsecurity.net/grsecurity-slide.ppt says there’s minimal performance impact with Grsecurity’s NX but other features can show an impact of 3%-20%. And I’m sure SELinux is even worse…

By: duck

duck — Thu, 18 Feb 2010 17:32:11 +0000

I’m not sure about that “performance impact: none”. For example, according to Novell’s official FAQ, Apparmor’s performance impact should be around 2%…

By: Miker

Miker — Wed, 26 Aug 2009 19:11:43 +0000

I think you have a mix-up in the summary table on the features line. Selinux uses labels and Apparmor uses paths correct?

By: Matt Summers

Matt Summers — Wed, 03 Jun 2009 13:40:37 +0000

Nice article. I wanted to mention that the PAX/GrSecurity patch set goes far beyond MAC in terms of hardening your system. The stack smashing protection is huge. At Gentoo we are working on a stable implementation with gcc-4.3. Results are really solid so far, a lot of progress has been made. Gentoo’s Hardened Project has some pretty good docs related to Pax/GrSec as well as SELinux, however we do not currently work with AppArmor. For any edge device or mission critical system with untrusted users Pax/GrSec is without a doubt the weapon of choice. Feel free to jump on Freenode IRC channel #gentoo-hardened if you have any questions.

By: Vivek Gite

Vivek Gite — Wed, 27 May 2009 23:52:17 +0000

@Alexander,

Thanks for pointing out new info.

By: Alexander Slesarev

Alexander Slesarev — Wed, 27 May 2009 23:31:41 +0000

Sorry, but I want to notice that the future of the AppArmor project is not so bright. Novell lie off AppArmor programmers, including Crispin Cowan (AppArmor's founder and leader). Crispin is now working in the Microsoft company. Other AppArmor's key developers (Steve Beattie and Dominic Reynolds) wanted to organize an AppArmor consulting company called Mercenary Linux. But there are no any links to this company, and the declared site is providing an adult content now. Last releases of AppArmor was about a year ago, and there are not any seen movements in this direction now.