Mostly directly quoted (i.e. copy-pasted) from other resources. Sources are in the footnotes.

# Glossary

Discretionary Access Control (DAC)

Traditional Linux security is based on a Discretionary Access Control (DAC) policy, which provides minimal protection from broken software or from malware that is running as a normal user or as root. Access to files and devices is based solely on user identity and ownership. Malware or broken software can do anything with files and resources that the user that started the process can do. If the user is root or the application is setuid or setgid to root, the process can have root-access control over the entire file system. ¹

Mandatory Access Control (MAC)

every action a program could perform that affects the system in any way is checked against a security ruleset².

SeLinux

SeLinux implements MAC. When security-relevant access occurs, such as when a process attempts to open a file, SELinux intercepts the operation in the kernel. If a MAC policy rule allows the operation, it continues; otherwise, SELinux blocks the operation and returns an error to the process. The kernel checks and enforces DAC policy rules before MAC rules¹.

SeLinux is considered to be very complicated and requires a supported filesystem ³

AppArmor

In brief AppArmor is a security module that uses a white list to determine permissions. It provides rules for file, capability, and network mediation. With its file mediation using path name based pattern matching. Though it is possible to confine an entire system, AppArmor by design allows for application based mediation where only a subset of a running system is confined. ⁴

AppArmor is an orthogonal (wrt. SeLinux) implementation of MAC.

# misc

Ubuntu, SUSE and a number of other distributions use it by default. RHEL (and its variants) use SELinux which requires good userspace integration to work properly. ³