My corporate policy says that Linux boxes must be secured with SELinux (so that a security auditor can check the 'yes, we're extremely secure!' checkbox for each server). I had hoped to take advantage of Ubuntu's awesome default AppArmor security. Is it unwise to run both Apparmor and SELinux? (If so, can this bad idea be mitigated with some apparmor and/or selinux tweaks?)
The Linux Kernel provides the Linux Security Module interface, of which SELinux and AppArmor are both implementations of. (Others include TOMOYO, Smack, ...) This interface is designed currently to only allow a single LSM to be operational at a time. There is no way to run two simultaneously, so you must choose one. There has been discussion from time-to-time about how to "stack" multiple LSMs, but this has not been done yet.
I wouldn't use both.
Both SELinux and AppArmor do the same basic thing: limiting access to files and folders to only the applications that really need access.
But both implement this idea in very different ways.
For example: Apache can only use files and folder labeled explicitly as web files, and other applications can't.
(This is a very very basic explanation of how SELinux and AppArmor operate.)
If you were to use both they would probably get in each other's way, and I really see no need or advantage to using both.
You cannot run both at the same time. Each of these are "Major" LSMs, and it is not possible to stack two major LSMs at once. ref.