Is it a bad idea to run SELinux and AppArmor at the same time?

The Linux Kernel provides the Linux Security Module interface, of which SELinux and AppArmor are both implementations of. (Others include TOMOYO, Smack, ...) This interface is designed currently to only allow a single LSM to be operational at a time. There is no way to run two simultaneously, so you must choose one. There has been discussion from time-to-time about how to "stack" multiple LSMs, but this has not been done yet.


I wouldn't use both.

Both SELinux and AppArmor do the same basic thing: limiting access to files and folders to only the applications that really need access.

But both implement this idea in very different ways.

  • SELinux attaches a label to every file in your filesystem and limits the access of an application to certain labels.
    For example: Apache can only use files and folder labeled explicitly as web files, and other applications can't.
  • AppArmor accomplishes the same thing without using labels, it just uses file paths.

(This is a very very basic explanation of how SELinux and AppArmor operate.)

If you were to use both they would probably get in each other's way, and I really see no need or advantage to using both.