For casual users who don’t create AppArmor profiles for various programs, would it be a wiser, more security enhancing choice to stay with AppArmor, as has been the case for years, or move to SELinux, which by default contains policies to confine more system programs, services, etc.?
2 Likes
I put some time into testing selinux before the switch. My advice based on that experience is to follow the default behaviour.
What I mean by this is: selinux works very well. Apparmor is also good. But migrating to selinux from apparmor, while it mostly will just work, can cause problems… So, if you have a machine with apparmor on it, don’t migrate to selinux, keep apparmor. If you are making a new installation, then take selinux.
Hope that helps!
2 Likes
Thanks for the opinion! Tumbleweed set the default LSM to SELinux a while ago. Maybe the same will happen for Leap next version. I think it might be more reasonable to move to SELinux if no snap packages or additional AppArmor profiles are used. It would be wise to make a backup and test it on the VM beforehand to minimize any potential issues.
This is what I referred to as “the switch”. Take note that this new default only applies to new installations, and existing installations will not be changed - the default behaviour is to leave it as it is.
My opinion was not entirely original 
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.