Yea, but there are also some things AppArmor just can’t do. Although in my experience most aren’t as big of a deal. Things like saying “only processes of this type can bind to port X” for example and much more fine grained control of file or directory actions. Does AppArmor provide kernel module controls?

They both have really bad documentation though :(

AppArmor is great but it isn’t nearly as powerful as SELinux. Way more user friendly though.

I haven’t looked around that much in years beyond NixOS, what else has MAC by default these days? I remember a lot of the Debian based ones having some things constrained by AppArmor, but I personally prefer SELinux and it wasn’t everything.

I don’t know if it ships with a firewall, but that’s definitely easier than an ad hoc SELinux setup. I always just transfer my iptables (nftables now) rules over.

One of the few with SELinux by default