Name: DEMYSTIFY：選擇 SELinux 還是 AppArmor (DEMYSTIFY: The Choice Between SELinux or AppArmor)
Uploaded: 2025-01-13T03:19:57.000Z
Duration: 9 min 29 s

未來進行式

Welcome back, and this time we're going to be looking at the comparison of SELinux to AppArmor.

歡迎回來，這次我們將探討 SELinux 與 AppArmor 的比較。

程度副詞

And we're going to delve in just a little bit.

轉承詞

I'm not going to go as far as a tutorial, because SELinux in particular is very complex, and really it would be better if you just bought a book or went and downloaded some of the Red Hat manuals, and I can provide those for you for links.

我不打算寫教程，因為 SELinux 特別複雜，如果你買一本書或去下載一些 Red Hat 手冊會更好，我可以為你提供鏈接。

That will help you in starting to learn it.

Both of these are very powerful tools, and let's explore a little bit as to what they can be used for.

這兩種工具都非常強大，讓我們來探討一下它們的用途。

Both of these are Linux security modules.

這兩個模塊都是 Linux 安全模塊。

You may also hear them referred to as LSMs.

您可能還會聽到有人稱他們為 LSM。

And those sort of act like the gatekeepers to your system.

這些就像是你的系統的守門人。

They control what applications can and cannot do.

它們控制著應用程序能做什麼，不能做什麼。

There are two options on the table, but which one should you choose?

桌面上有兩種選擇，但您應該選擇哪一種呢？

Well, as usual, I'm not going to make that decision for you.

好吧，像往常一樣，我不會替你做這個決定。

Again, I'm going to give you the information you need to make your own decision.

我將再次向您提供您需要的資訊，以便您做出自己的決定。

So, throughout this video, we'll break down SELinux and AppArmor and compare their features and help you pick the right security solution for your needs.

是以，在整個視頻中，我們將對 SELinux 和 AppArmor 進行分析，比較它們的功能，幫助你選擇適合自己需求的安全解決方案。

And with that, I am DJ Ware, and this is the Cyber Gizmo.

我是 DJ Ware，這裡是 Cyber Gizmo。

I'd like to take a moment and thank the sponsors of this channel.

在此，我要感謝本頻道的贊助商。

The members of Patreon, as well as the members of the channel through YouTube.

Patreon 的成員，以及通過 YouTube 頻道的成員。

Thank you so much for your support and helping bring this content in a higher quality than it would be possible otherwise.

非常感謝你們的支持，幫助我們提高了內容的品質。

So, first we probably should explain what is SELinux and AppArmor.

是以，我們首先應該解釋一下什麼是 SELinux 和 AppArmor。

You've probably come across it in the documentation for if you've used Fedora or Red Hat or Rocky Linux or even AlmaLinux.

如果你使用過 Fedora、Red Hat 或 Rocky Linux，甚至 AlmaLinux，你可能在文檔中見過它。

You may have found documentation in there for SELinux.

您可能已經在其中找到了 SELinux 文檔。

If you're on the Ubuntu side or Debian side, you probably have run into discussions of AppArmor.

如果你是 Ubuntu 或 Debian 用戶，你可能會遇到關於 AppArmor 的討論。

SELinux stands for Security Enhanced Linux.

SELinux 是安全增強型 Linux 的縮寫。

It is a heavyweight in the Linux security world.

它是 Linux 安全領域的重量級產品。

It is a mandatory access control system, meaning that it enforces the security policies that you define.

它是一個強制性的訪問控制系統，也就是說，它會執行你定義的安全策略。

So, as the administrator, you are the one that creates a rulebook that applications must follow, and there are no exceptions to that.

是以，作為管理員，您必須制定應用程序必須遵守的規則手冊，而且不能有任何例外。

On the other hand, AppArmor kind of takes a profile-based approach.

另一方面，AppArmor 是一種基於配置文件的方法。

It creates profiles for specific applications, and those profiles outline exactly what they're allowed to do on your system.

它可以為特定應用程序創建配置文件，這些配置文件明確列出了允許它們在系統中做的事情。

You can think of it as giving each application a specific set of permissions to allow access to files or not.

你可以把它理解為為每個應用程序賦予一組特定的權限，允許或不允許訪問文件。

So, it's more in tune with files than it is anything else.

是以，它與文件的關係比其他任何東西都要密切。

Generally, SELinux is a little bit different.

So, let's explore some of those differences.

那麼，讓我們來探討其中的一些差異。

So, we're looking at SELinux here and AppArmor, and the key difference between them is SELinux is a comprehensive security solution.

是以，我們現在看到的是 SELinux 和 AppArmor，它們之間的主要區別在於 SELinux 是一種全面的安全解決方案。

It can control everything from the access and network connections that your system is calling to system calls themselves that applications are allowed to make.

它可以控制一切，從系統調用的訪問和網絡連接，到允許應用程序進行的系統調用本身。

It is a much more powerful system, but it comes with a price, and that is a steep learning curve.

它是一個功能更強大的系統，但也有代價，那就是陡峭的學習曲線。

AppArmor, however, focuses on the file access and system calls.

而 AppArmor 則側重於文件訪問和系統調用。

It ensures applications can only access the files and the functions that they absolutely need.

它確保應用程序只能訪問它們絕對需要的文件和功能。

While it doesn't have the all-encompassing control of SELinux, it does provide a solid layer of protection.

雖然它不具備 SELinux 的全方位控制能力，但它確實提供了一層堅實的保護。

The next big difference is configuration.

SELinux isn't known for being user-friendly.

SELinux 並非以用戶友好而著稱。

It is a complex policy language that requires in-depth security knowledge.

這是一種複雜的策略語言，需要深入的安全知識。

You might think of it as writing code to define security rules, so it's not exactly considered a walk in the park.

你可能會認為這是編寫代碼來定義安全規則的過程，是以這並不是一件輕而易舉的事。

AppArmor, on the other hand, takes a simpler approach.

而 AppArmor 則採用了更簡單的方法。

It uses user profiles that define allowed capabilities for each application.

它使用用戶配置文件來定義每個應用程序允許的功能。

It's more like creating permission sets, which is definitely easier to manage.

這更像是創建權限集，肯定更容易管理。

So, back to the learning curve, SELinux will take you a while to get your head wrapped around.

是以，回到學習曲線上，SELinux 會讓你花一些時間來熟悉它。

The complex configuration language alone requires significant expertise.

僅複雜的配置語言就需要大量的專業知識。

AppArmor, on the other hand, is much easier to learn, and it makes it a good choice for those who are new to application security.

而 AppArmor 則更容易學習，是以對於那些應用程序安全新手來說是個不錯的選擇。

So, before you make a choice between SELinux and AppArmor, there might be some other considerations.

是以，在您選擇 SELinux 還是 AppArmor 之前，可能還需要考慮一些其他因素。

You may need high security with granular control over everything your applications do.

您可能需要對應用程序的所有操作進行細粒度控制的高安全性。

In that case, SELinux might be a best bet.

在這種情況下，SELinux 可能是最好的選擇。

If, on the other hand, you're looking for basic protection and ease of use, AppArmor would be a good fit.

另一方面，如果你需要的是基本的保護和易用性，AppArmor 會很適合你。

System complexity also plays a role here.

系統的複雜性在這裡也發揮了作用。

If you're managing a complex system with many applications interacting with each other, SELinux might introduce additional management overhead.

如果你正在管理一個複雜的系統，其中有許多應用程序相互影響，那麼 SELinux 可能會帶來額外的管理開銷。

In simpler systems, AppArmor might be sufficient to keep things secure.

在較簡單的系統中，AppArmor 可能足以保證安全。

So, finally, consider your expertise on where you are in your ability to be able to configure and manage these two.

是以，最後，請考慮一下您的專業知識，看看您在配置和管理這兩者方面的能力如何。

If you have experience as a security administrator and you think you can handle SE intricacies, it probably offers more control.

如果你有擔任安全管理員的經驗，並認為自己可以處理複雜的 SE 問題，那麼它可能會提供更多的控制功能。

But for users who are less familiar with security, AppArmor is simpler, the configuration is easier to understand, and that might be preferable.

但對於不太熟悉安全知識的用戶來說，AppArmor 更加簡單，配置也更容易理解，這可能是更好的選擇。

SELinux and AppArmor are both powerful tools, and both can secure your Linux system.

SELinux 和 AppArmor 都是功能強大的工具，都能確保 Linux 系統的安全。

The right choice depends on your specific needs and your expertise and level of confidence in your capabilities.

正確的選擇取決於您的具體需求、專業知識以及對自身能力的自信程度。

SELinux offers comprehensive security with granular control.

SELinux 通過細粒度控制提供全面的安全性。

It comes with a steeper learning curve, and it also is more rigorous when it comes to testing.

它的學習曲線更陡峭，測試也更嚴格。

Also, it is not very forgiving of misconfigurations, as I found out when I was first learning to use it.

此外，它對錯誤配置的寬容度也不高，我在剛開始學習使用它時就發現了這一點。

So, if you misspell something in your SELinux configuration file that's in Etsy, your system will not reboot.

是以，如果你在 Etsy 中的 SELinux 配置文件中拼錯了什麼，系統就不會重啟。

So, if you are going down the road for SELinux, my suggestion would be to use a VM, snapshot the VM before you make any changes that require a reboot, and then test your changes, and then if it doesn't work, you have a fallback.

是以，如果你要使用 SELinux，我的建議是使用虛擬機，在進行任何需要重啟的更改之前，先給虛擬機快照，然後測試你的更改，如果不成功，你就有了退路。

AppArmor, however, is a little bit of a simpler approach with a focus on file access control, and it just makes it easier to learn and implement.

然而，AppArmor 是一種更簡單的方法，重點是文件訪問控制，而且更容易學習和實施。

I mean, you don't have quite as rigorous test routines because its function and scope is limited to a subset of what SELinux can do.

我的意思是，你沒有那麼嚴格的測試程序，因為它的功能和範圍僅限於 SELinux 能做的事情的一個子集。

So, ultimately, the best security solution, as we always say, is the one you use.

是以，正如我們常說的那樣，最好的安全解決方案最終還是要靠自己使用。

Neither one are effective if they're not turned on.

如果沒有開啟，兩者都不會有效。

So, remember, securing your system is an ongoing process.

是以，請記住，確保系統安全是一個持續的過程。

This is only one link in the chain, so don't rely on this as your absolute only security mechanism.

這只是安全鏈中的一個環節，是以不要將其作為唯一的絕對安全機制。

To me, it's unfortunate that we have all of these tools that you have to piece together into a chain of things, and to hopefully get them to work together without interjecting any more possibilities for vulnerabilities to slip in.

對我來說，不幸的是，我們擁有的所有這些工具，你都必須將它們拼湊成一個鏈條，並希望它們能夠協同工作，而不給漏洞插入更多的可能性。

Anytime you install a service, you're inviting another place for a crack to appear in the armor of your system.

任何時候，只要您安裝了服務，就意味著您的系統盔甲上出現了另一個裂縫。

So, I think, you know, for me, stay tuned.

所以，我想，你知道，對我來說，敬請期待。

And if you have any questions, leave them in the comments below and hit that subscribe button and share it with your friends.

如果您有任何問題，請在下面的評論中留言，並點擊訂閱按鈕與朋友分享。

And I hope to see you all again in the next video.

我希望在下一個視頻中再見到大家。