Does anyone know why some distros choose AppArmor over SELinux? Is it better?

I found this:

looks like AppArmor to SELinux is what inotify is to dnotify (that is better and easier).

Is?

TenTenTen

Asking if AppArmor is better than SELinux is like asking if Linux is better than OpenBSD. They solve different problems. Over at lwn.net there is a very nice discussion with an author of the TOMOYO project about advantages and disadvantages.

That's a half truth, there are common problems they solve in different ways and as explained in the link above from Novell - AppArmor is certainly better in those cases cause it's simpler and easier.

grsecurity > *

A lot of people don't like SELinux because it's difficult to work with. I think a lot of people end up disabling it on Fedora.

I hate profiling because it's practicaly useles.
If apps would ship with their own profile file that complies with a freedesktop standard that doesn't exist then it would be of some use I guess.

BTW you may disagree with me.

They used to. Most of the time now it's unnecessary. This is due to the 'targetted' policy implemented by Fedora/Redhat by defualt. This policy is designed for mild server situations were your only worried about external threats over the network. It allows local user logins to do pretty much whatever they want within the traditional 'DAC' security framework. Targetted policy is worthless if your goal is to increase the protection from local user accounts.


================================

SELinux is complicated in the extreme because implementing a full fledged MAC system is itself extremely complicated. I can set up a SELinux machine so that if your user does not have security clearance you will not just be denied access to 'top secret' files on the machine... it would be impossible for you to even detect their existence. Even if you knew their names and know were they would be at, you still could not prove they existed, unless you try a physical attack on the machine (break into the building and steal the harddrive).

Other security mechanisms such as Toyomo, AppArmor, SMACK, and the like are trading capabilities for usability. There is nothing they can do that SELinux cannot do, but there is a lot of things that SELinux can do that they cannot.

If your implementing high security system for government agency or hardcore banking system then your a idiot to use anything other then Selinux.... It was designed specifically for those purposes.

If your goal is to prevent your user account being hacked because Adobe's flash plugin sucks then AppArmor is your friend.