Is it a bad idea to run SELinux and AppArmor at the same time?

My corporate policy says that Linux boxes must be secured with SELinux (so that a security auditor can check the 'yes, we're extremely secure!' checkbox for each server). I had hoped to take advantage of Ubuntu's awesome default AppArmor security. Is it unwise to run both Apparmor and SELinux? (If so, can this bad idea be mitigated with some apparmor and/or selinux tweaks?)


The Linux Kernel provides the Linux Security Module interface, of which SELinux and AppArmor are both implementations of. (Others include TOMOYO, Smack, ...) This interface is designed currently to only allow a single LSM to be operational at a time. There is no way to run two simultaneously, so you must choose one. There has been discussion from time-to-time about how to "stack" multiple LSMs, but this has not been done yet.


I wouldn't use both.

Both SELinux and AppArmor do the same basic thing: limiting access to files and folders to only the applications that really need access.

But both implement this idea in very different ways.

  • SELinux attaches a label to every file in your filesystem and limits the access of an application to certain labels.
    For example: Apache can only use files and folder labeled explicitly as web files, and other applications can't.
  • AppArmor accomplishes the same thing without using labels, it just uses file paths.

(This is a very very basic explanation of how SELinux and AppArmor operate.)

If you were to use both they would probably get in each other's way, and I really see no need or advantage to using both.