Securing Linux: Steady Momentum in AppArmor and SELinux Uptake

Introduction

In recent times, two critical Linux security frameworks, AppArmor and SELinux, have seen noteworthy acceleration in real-world deployment. As Linux continues to anchor enterprise, container, cloud, and desktop systems, these Mandatory Access Control (MAC) tools have crossed threshold events signaling broader acceptance. This article examines those pivotal inflection points, dives into why they matter, and offers reflections on the shifting landscape of Linux security.

A Swift Journey to Widespread Use

SELinux’s Ascendancy

Originally conceived by the NSA and later shepherded by Red Hat, SELinux added powerful MAC controls to Linux by the early 2000s. Since being fully embedded into the Linux 2.6.x kernel, SELinux has steadily expanded its reach. It has become the default security layer on Red Hat Enterprise Linux, Fedora, and their derivatives, and integrated into Debian 9+, plus Ubuntu from version 8.04. Android further embraced SELinux starting from version 4.3, marking its normalization in mobile devices.

But the most recent watershed occurred in early 2025: openSUSE Tumbleweed made SELinux the default MAC for new installations beginning with snapshot 20250211, accompanied by minimalVM images running in enforcing mode. Existing installations remain unaffected unless manually migrated, and AppArmor remains an installer option. Moreover, openSUSE Leap 16 will be shipping with SELinux in enforcing mode by default, affirming a full shift within SUSE ecosystems.

This chain of events reflects a conscious pivot in favor of SELinux across both SUSE and community platforms, aligning them more closely with enterprise-grade security policies.

AppArmor’s Established Reach

AppArmor, originally named SubDomain in the late ’90s, emerged from Immunix and later became a core tool in SUSE distributions. It officially became part of the Linux kernel in version 2.6.36 around October 2010. Ubuntu began shipping it by default starting with 7.10; by 8.04, CUPS was protected. Over the following releases, its scope widened to include MySQL, libvirt, browser sessions, and more. In Debian 10 (“Buster”), released July 2019, AppArmor became enabled by default, anchoring its adoption across Debian-based ecosystems.