Not sure if I can give you a link that covers everything instead I share this (sorry ^_^):
TL;DR: AppArmor has no MLS/MCS support, policy generation depends on a single wrapper, can't generate policies for containers, security is unfortunately not easy.
AppArmor and SElinux are very similar in what and how they're doing things. Major difference to note is that SELinux is labeling every object while AppArmor is using paths. However, my biggest beef with AppArmor is that it lacks tooling and it is absolutely incapable of running in an environment where fine grained security is important or mandatory (govt, data center etc) as it lack MLS and MCS capabilities. Sure it is easier - and I'm using the word easy very loosely as it is a matter of experience and knowledge - to create policies, but that is mostly because that it is not able to do as much as SELinux does (no MLS/MCS) making it a lot less complex than SELinux. Thanks to this AppArmor is also not a good choice for containers as it is unable to separate container from each other or from the host properly due to the lack of MLS/MCS. In an era when micro-services and containers are the de facto way of deploying applications this is a critical problem and pretty sure that this is one of the reasons why MicroOS has moved to SELinux.
Surely a good come back would be that SELinux can't generate policies, which is true, however that is a conscious decision and it does provide tooling (audit2allow) instead of relying on a single wrapper. Also on what you mentioned about relabeling takes time and resources: I was deploying, running and maintaining CentOS and RHEL servers for about 8 years before we moved everything to openSUSE and this happened to me about twice and took only a 5-10 minutes on boot.
IMO SELinux is a necessary next step to take.
https://selinuxproject.org/page/NB_MLS
-- Br, A. ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Saturday, April 10, 2021 6:10 PM, Michael Ströder michael@stroeder.com wrote:
On 4/10/21 1:07 PM, Attila Pinter wrote:
I'm very happy to see work going into this. SELinux would improve a lot on security especially when it comes to containerization. It is crazy simple to break out of a Podman container if it is secured by AppArmor.
Could you please provide some links to detailed information?
Ciao, Michael.