In this chapter, we looked at the basic principles of Mandatory Access Control and compared two different Mandatory Access Control systems. We saw what SELinux and AppArmor are and how they can help safeguard your systems from malicious actors. We then looked at the basics of how to use them and the basics of how to troubleshoot them. We also saw that even though they're both meant to do the same job, they work in vastly different ways.

Whether you're working with AppArmor or with SELinux, you'll always want to thoroughly test a new system in either complain or permissive mode before you put it into production.  Make sure that what you want to protect gets protected, while at the same time, what you want to allow gets allowed. After you place the machine into production, don't just assume that you can automatically change a policy setting every time you see a policy violation occur. It could be that nothing is wrong with your Mandatory Access Control setup and that MAC is just doing its job in protecting you from the bad guys.

There's a lot more to both of these topics than we can cover here. Hopefully, though, I've given you enough to whet your appetite and enough to help you out in your day-to-day duties.

In the next chapter, we'll look at scanning, auditing, and hardening.  I'll see you there.