Does Ubuntu use SELinux by default and if not, how is security context managed? For example, allowing processes to run as root without security context can be a security risk.
The help page about SELinux suggests that SELinux is a program that needs to be manually installed.
So then how does Ubuntu handle security context out of the box?
Ubuntu uses AppArmor, a SELinux alternative.
Wikipedia gives some hints on why some people think AppArmor is better than SELinux:
Ubuntu ships many AppArmor profiles for core applications. You can find them in
/etc/apparmor.d/
. If you need to edit the default profiles, you can override settings from/etc/apparmor.d/local/
.Ubuntu also ships some so-called "abstractions", which are ways to help you write your own AppArmor profiles quickly without repeating yourself (the famous DRY principle).
One thing that is important to note is that the AppArmor profile for Firefox is disabled by default, because it might be too restrictive for many users. You can however enable it as described on the documentation:
If you want to go with SELinux, you are free to disable AppArmor and install the selinux package. Note however that the default configuration for SELinux in Ubuntu is not much restrictive, so you have to configure it yourself.
As Andrea's answer points out, Ubuntu use AppArmor. The "default" SELinux context Ubuntu uses, depends greatly on how do you install SELinux (I believe that the
selinux-default
, is the one that you are looking). Of course, if you install none, you should configure it according to your tastes.