SELinux and AppArmor enforcement reached 55.6% across enterprise Linux environments in 2025, meaning more than half of all production Linux installations now actively block unauthorized access through Mandatory Access Control. With RHEL holding 43.1% of the enterprise Linux server market and Ubuntu at 33.9%, these two frameworks cover roughly 77% of enterprise Linux just through distribution defaults. The 2025 switch by openSUSE from AppArmor to SELinux as its default MAC framework signals a broader shift toward SELinux dominance in new deployments.
SELinux and AppArmor Adoption Key Statistics
- 55.6% of enterprise Linux environments enforce SELinux or AppArmor as of 2025.
- RHEL, with 43.1% enterprise server share, ships SELinux in enforcing mode by default.
- 86% of Ubuntu servers have AppArmor enabled, and Ubuntu runs on 60%+ of public cloud Linux instances.
- 96.4% of production Kubernetes clusters run on Linux, with both MAC frameworks used to confine containers.
- Organizations using SELinux reported a 60% reduction in privilege escalation incidents compared to permissive-mode deployments.
SELinux and AppArmor Combined Enforcement Rate
A Market Growth Reports study confirmed that more than 55% of organizations deployed SELinux, AppArmor, or a similar security module within the preceding 12 months. This aligns with the 55.6% figure from aggregated industry data, placing the reliable benchmark for MAC enforcement squarely in the 55–56% range.
The 1.3% Linux malware figure is worth reading alongside this data. Enterprises that enforce SELinux or AppArmor tend to layer 2FA (72.1%) and active firewalls (88.4%) on top, building a defense stack that explains Linux’s low malware incidence.
Which Linux Distributions Default to SELinux
SELinux adoption follows distribution defaults. RHEL, Fedora, and CentOS Stream all ship with SELinux in enforcing mode. Since RHEL alone holds 43.1% of the enterprise Linux server market, SELinux is present across the largest enterprise Linux ecosystem by default.
The big change in 2025 was openSUSE Tumbleweed switching from AppArmor to SELinux for new installations, starting with snapshot 20250211. openSUSE Leap 16 followed. This is a notable reversal — SUSE/openSUSE held the AppArmor trademark and had been an AppArmor stronghold since the Novell era.
| Distribution | Default MAC | Mode | Changed / Confirmed |
|---|---|---|---|
| RHEL | SELinux | Enforcing | Default since inception |
| Fedora | SELinux | Enforcing | Default since inception |
| CentOS Stream | SELinux | Enforcing | Default since inception |
| openSUSE Tumbleweed | SELinux | Enforcing | February 2025 |
| openSUSE Leap 16 | SELinux | Enforcing | 2025 |
| Ubuntu | AppArmor | Enforce (profiles) | Default since 7.10 |
| Debian | AppArmor | Enabled | Default since Buster (2019) |
| SUSE Linux Enterprise 15.x | AppArmor | Enabled | Unchanged |
SELinux vs AppArmor Enterprise Market Share by Distribution
When you map MAC framework adoption to distribution market share, the split is roughly 43% SELinux (via the RHEL family) and 50% AppArmor (via Ubuntu and Debian combined). But openSUSE’s 2025 switch is gradually pulling new SUSE-ecosystem deployments toward SELinux, and that gap will narrow as legacy installs get replaced.
Some organizations on Ubuntu or Debian deliberately install SELinux instead of AppArmor, particularly in government and defense environments where SELinux’s NSA-originated type enforcement and multi-level security (MLS) are required for compliance.
AppArmor Adoption on Ubuntu and Debian Servers
AppArmor’s presence in production is tied almost entirely to Ubuntu and Debian. Over 86% of Ubuntu servers have AppArmor enabled by default, according to a 2025 MoldStud/Canonical analysis. Canonical reports that more than 60% of public cloud Linux instances run Ubuntu, which means AppArmor is the MAC framework behind a large share of cloud workloads.
With AWS EC2 at 83.5% Linux, Azure at 61.8%, and Google Cloud at 91.6%, AppArmor’s cloud exposure through Ubuntu alone is substantial. Its path-based profile model works well in cloud environments where containers spin up and down rapidly and admins need minimal configuration overhead.
SELinux and AppArmor in Container and Kubernetes Workloads
Container environments are where both frameworks are growing fastest. The CNCF confirmed that 96.4% of production Kubernetes clusters run on Linux in 2025. Both SELinux and AppArmor are used to confine container workloads within those clusters.
Kubernetes v1.30 moved AppArmor support from annotations into the native securityContext field of pod specs, making it a first-class option in pod security configuration. SELinux context settings have been available through Kubernetes security contexts for longer.
A 2024 CNCF report found a 3x decline in privilege escalation attempts when containerized apps used SELinux type enforcement. Red Hat separately reported a 60% reduction in privilege escalation incidents with SELinux versus permissive-mode deployments. Canonical’s security team estimated a 70%+ reduction in exploitation risk with kernel-based MAC enforcement.
Microsoft’s Azure Kubernetes Service (AKS) is also shifting: Azure Linux 3.0 dropped AppArmor support entirely and recommends SELinux for mandatory access control on AKS nodes.
Linux Security Market Growth and MAC Outlook for 2026
The global Linux software market was valued at $8.87 billion in 2025 and is projected to reach $10.23 billion in 2026. The broader Linux OS market is on track for $99.69 billion by 2032, growing at a 20.9% CAGR. Security demand is a direct driver of this growth, and 41% of IT departments reported difficulty finding qualified Linux administrators in 2025 — MAC enforcement complexity is part of that skills gap.
As containerized workloads expand, compliance frameworks tighten access control requirements, and distributions default to enforcing mode, the 55.6% MAC enforcement rate in 2025 is a floor. openSUSE’s switch, Kubernetes’ native AppArmor support improvements, and Azure’s SELinux-only direction all point the same way — MAC in enforcing mode is becoming the expected baseline, not something teams get around to later.
FAQs
What is the SELinux and AppArmor enforcement rate in enterprise Linux?
55.6% of enterprise Linux environments actively enforce SELinux or AppArmor in production as of 2025, according to aggregated industry data from Command Linux and Market Growth Reports.
Which Linux distributions use SELinux by default?
RHEL, Fedora, CentOS Stream, openSUSE Tumbleweed (as of February 2025), and openSUSE Leap 16 all ship with SELinux in enforcing mode by default.
Does Ubuntu use SELinux or AppArmor?
Ubuntu uses AppArmor by default. Over 86% of Ubuntu servers have AppArmor enabled. Ubuntu runs on 60%+ of public cloud Linux instances, making AppArmor the dominant MAC in cloud environments.
How much does SELinux reduce privilege escalation in containers?
A 2024 CNCF report found a 3x reduction in privilege escalation attempts with SELinux container enforcement. Red Hat reported a 60% reduction versus permissive-mode deployments.
Why did openSUSE switch from AppArmor to SELinux?
openSUSE Tumbleweed switched its default MAC to SELinux in February 2025, with Leap 16 following. The move aligns SUSE’s community distros with broader enterprise demand for SELinux type enforcement.
