Mandatory Access Control (MAC) enforces security policies set by a system administrator that users and processes cannot override β unlike Discretionary Access Control (DAC), where file owners decide permissions. SELinux and AppArmor are the two dominant MAC implementations for Linux, both delivered as Linux Security Modules (LSMs) that supplement, never replace, the traditional Unix DAC model. The critical mental model to internalize is that SELinux labels every subject (process) and object (file, port, socket) with a security context and asks "is this label allowed to do this action to that label?", while AppArmor attaches rules to the pathname of executables and asks "is this program allowed to access this path?" β a label-vs-path duality that determines almost every practical difference between the two systems.
What This Cheat Sheet Covers
This topic spans 19 focused tables and 156 indexed concepts. Below is a complete table-by-table outline of this topic, spanning foundational concepts through advanced details.
Table 1: MAC vs DAC β Core Access Control Models
Understanding the distinction between MAC and DAC is the foundation for everything else in SELinux and AppArmor. DAC governs everyday Unix permissions; MAC adds a mandatory layer that even root cannot bypass without explicit policy permission.
| Concept | Example | Description |
|---|---|---|
chmod 644 file.txtchown alice file.txt | β’ Traditional Unix model β’ resource owner decides permissions β root can override everything | |
SELinux: httpd_t domain cannot write shadow_t files | Centrally defined policy enforced by the kernel β even root cannot override it without policy changes. | |
DAC denies β MAC never runs; DAC allows β MAC policy checked next | β’ SELinux rules are evaluated only after DAC rules pass β’ a DAC denial stops the check immediately |