AppArmor vs SELinux: Which to Choose? Linux Mastery Series
What does the choice between AppArmor and SELinux represent, and what factors should be considered when making this decision?
AppArmor vs SELinux represents a fundamental choice between simplicity and comprehensive security control. Moreover, effective AppArmor vs SELinux decision-making requires understanding distribution compatibility, administrative complexity, and specific security requirements for your environment.
Quick AppArmor vs SELinux Comparison for Immediate Decision-Making:
# Check current MAC system status
# For SELinux systems (RHEL/CentOS/Fedora)
getenforce
sestatus
# For AppArmor systems (Ubuntu/Debian/SUSE)
sudo apparmor_status
aa-status
# System compatibility check
cat /etc/os-release | grep -E "(ID|VERSION)"
# Resource usage comparison
ps aux | grep -E "(selinux|apparmor)" | wc -l
systemctl status apparmor || systemctl status selinux
| Comparison Factor | AppArmor | SELinux |
|---|---|---|
| Complexity | Beginner-friendly | Expert-level |
| Default Distributions | Ubuntu, SUSE, Debian | RHEL, CentOS, Fedora |
| Profile Management | Path-based, intuitive | Label-based, comprehensive |
| Learning Curve | Moderate (days) | Steep (weeks/months) |
| Resource Overhead | Low | Moderate |
| Enterprise Support | Good | Excellent |
Table of Contents
- What Are the Key Differences Between AppArmor vs SELinux?
- How Does AppArmor vs SELinux Distribution Support Compare?
- What AppArmor vs SELinux Performance Impact Should You Expect?
- How Do AppArmor vs SELinux Configuration Approaches Differ?
- What AppArmor vs SELinux Security Models Work Best?
- How Does AppArmor vs SELinux Administrative Overhead Compare?
- What AppArmor vs SELinux Migration Strategies Exist?
- How Should You Choose Between AppArmor vs SELinux for Your Environment?
What Are the Key Differences Between AppArmor vs SELinux?
Architectural differences fundamentally impact security implementation and system administration approaches. Therefore, understanding these core distinctions enables informed decisions about mandatory access control system selection for specific environments.
Security Architecture Comparison
Path-based vs label-based security represents the most significant distinction in implementations. Additionally, these architectural choices affect policy creation, maintenance complexity, and security granularity.
# AppArmor path-based approach example
sudo cat /etc/apparmor.d/usr.bin.firefox
# Sample AppArmor profile structure:
# /usr/bin/firefox {
# /home/**/Downloads/** rw,
# /tmp/** rw,
# deny /etc/shadow r,
# }
# SELinux label-based approach example
ls -Z /usr/bin/firefox
# Output: -rwxr-xr-x. root root system_u:object_r:mozilla_exec_t:s0 /usr/bin/firefox
# Compare security contexts
# AppArmor: focuses on file paths and capabilities
aa-status | grep firefox
# SELinux: focuses on security labels and contexts
ps -eZ | grep firefox
Policy Management Philosophy
Policy management reflects different security philosophy approaches, with AppArmor emphasizing simplicity and SELinux prioritizing comprehensive control. Furthermore, these philosophical differences impact learning curves and administrative requirements.
| AppArmor Characteristics | SELinux Characteristics |
|---|---|
| Path-based policies | Label-based policies |
| Human-readable profiles | Complex type enforcement |
| Application-centric | System-wide security contexts |
| Deny-by-default with allow rules | Policy modules with boolean toggles |
| Profile complain/enforce modes | Enforcing/permissive/disabled modes |
# AppArmor policy syntax example
cat > /tmp/example_apparmor_profile << 'EOF'
/usr/bin/example_app {
# File access permissions
/etc/example.conf r,
/var/log/example.log w,
/tmp/** rw,
# Network capabilities
capability net_bind_service,
network inet stream,
# Deny dangerous actions
deny /etc/passwd r,
deny capability sys_admin,
}
EOF
# SELinux policy structure example
# List type enforcement rules
sesearch -A -s httpd_t -t httpd_config_t
# Show boolean policies
getsebool -a | grep httpd | head -5
How Does AppArmor vs SELinux Distribution Support Compare?
Distribution compatibility significantly influences selection decisions, as different Linux distributions favor specific mandatory access control systems. Moreover, understanding default implementations helps align security choices with existing infrastructure.
Default Distribution Integration
Distribution preferences evolved based on community adoption, vendor support, and integration complexity considerations. Therefore, choosing systems aligned with distribution defaults reduces configuration overhead and ensures better support.
# Check current distribution and MAC system
hostnamectl | grep -E "(Operating|Kernel)"
cat /etc/os-release | grep -E "(NAME|VERSION_ID)"
# Detect active MAC system
if command -v getenforce &> /dev/null; then
echo "SELinux detected: $(getenforce)"
sestatus | head -5
elif command -v aa-status &> /dev/null; then
echo "AppArmor detected"
sudo apparmor_status | head -5
else
echo "No MAC system detected"
fi
# Check available MAC packages
# Ubuntu/Debian systems
apt list --installed | grep -E "(selinux|apparmor)"
# RHEL/CentOS/Fedora systems
rpm -qa | grep -E "(selinux|apparmor)"
Distribution-Specific Features
Feature availability varies across distributions, affecting functionality and administrative capabilities. Additionally, distribution-specific customizations impact policy management and troubleshooting approaches.
| Distribution | Default MAC | Alternative Available | Support Quality |
|---|---|---|---|
| Ubuntu LTS | AppArmor | SELinux (manual) | Excellent |
| Debian | AppArmor | SELinux (packages) | Good |
| SUSE/openSUSE | AppArmor | SELinux (limited) | Excellent |
| RHEL/CentOS | SELinux | AppArmor (unsupported) | Excellent |
| Fedora | SELinux | AppArmor (community) | Good |
| Arch Linux | None | Both available | Community |
# Ubuntu AppArmor management
sudo apt install apparmor-utils apparmor-profiles
sudo systemctl status apparmor
# Enable SELinux on Ubuntu (not recommended for production)
sudo apt install selinux-utils selinux-basics
sudo selinux-activate
# RHEL/CentOS SELinux management
sudo yum install policycoreutils-python-utils
sudo systemctl status selinux-autorelabel
# Install AppArmor on RHEL (experimental)
# Note: Not officially supported
sudo yum install --enablerepo=epel apparmor
What AppArmor vs SELinux Performance Impact Should You Expect?
Performance characteristics of implementations affect system resource utilization and application responsiveness. Furthermore, understanding performance implications helps determine appropriate MAC systems for resource-constrained environments.
Resource Utilization Analysis
Resource consumption differs significantly based on policy complexity and security granularity requirements. Therefore, performance testing in specific environments provides accurate resource impact assessments.
# Monitor MAC system resource usage
# Check memory consumption
ps aux --sort=-%mem | grep -E "(selinux|apparmor|kernel)" | head -10
# Monitor CPU overhead during policy loading
time sudo apparmor_parser -r /etc/apparmor.d/usr.bin.firefox
time sudo semodule -i custom_policy.pp
# System call overhead measurement
strace -c -f -S time firefox 2>&1 | grep -E "(time|calls)"
# Benchmark file access performance
echo "Testing file access speed with MAC enabled"
time for i in {1..1000}; do cat /etc/passwd > /dev/null; done
# Network performance impact
iperf3 -c localhost -t 10 # Test local network performance
Performance Optimization Strategies
Optimizing configurations minimizes performance overhead while maintaining security effectiveness. Additionally, proper tuning ensures MAC systems enhance security without significantly impacting user experience.
# AppArmor performance optimization
# Use complain mode for performance testing
sudo aa-complain /usr/bin/heavy_application
# Profile tuning for better performance
sudo aa-logprof # Optimize profiles based on usage patterns
# Disable unnecessary profiles
sudo aa-disable /etc/apparmor.d/usr.bin.rarely_used_app
# SELinux performance optimization
# Use permissive mode for performance comparison
sudo setenforce 0 # Temporary permissive mode
# Optimize boolean settings
getsebool -a | grep _exec_mem
sudo setsebool -P allow_execmem on # If required by applications
# Policy compilation optimization
sudo semodule -B # Rebuild policy base for better performance
How Do AppArmor vs SELinux Configuration Approaches Differ?
Configuration methodology represents a crucial distinction in implementations, affecting administrative workflows and security policy development. Moreover, understanding configuration approaches guides training requirements and operational procedures.
Profile Creation and Management
Profile creation processes reflect different security modeling approaches, with AppArmor using human-readable text files and SELinux employing complex policy languages. Therefore, configuration complexity directly impacts administrative efficiency and error rates.
# AppArmor profile creation workflow
# Generate initial profile
sudo aa-genprof /usr/bin/myapplication
# Enter learning mode
sudo aa-complain /usr/bin/myapplication
# Run application to generate access patterns
/usr/bin/myapplication --test-mode
# Review and approve profile
sudo aa-logprof
# Enforce finalized profile
sudo aa-enforce /usr/bin/myapplication
# Verify profile status
sudo aa-status | grep myapplication
SELinux Policy Development Process
SELinux policy creation requires understanding type enforcement, role-based access control, and multi-level security concepts. Additionally, SELinux configuration involves complex policy modules and boolean management systems.
# SELinux policy development workflow
# Generate policy from AVC denials
sudo ausearch -m avc --start today --raw | audit2allow -M myapp_policy
# Review generated policy
cat myapp_policy.te
# Install policy module
sudo semodule -i myapp_policy.pp
# Verify policy installation
sudo semodule -l | grep myapp
# Manage SELinux booleans
getsebool -a | grep myapp
sudo setsebool -P myapp_enable_feature on
# Create custom file contexts
sudo semanage fcontext -a -t myapp_config_t "/opt/myapp/config(/.*)?"
sudo restorecon -R /opt/myapp/config
Configuration File Management
Configuration storage and management systems differ significantly, affecting backup procedures, version control, and change management processes. Furthermore, understanding file structures enables effective configuration automation.
# AppArmor configuration structure
ls -la /etc/apparmor.d/
# Profile files: /etc/apparmor.d/usr.bin.firefox
# Tunables: /etc/apparmor.d/tunables/
# Abstractions: /etc/apparmor.d/abstractions/
# Backup AppArmor configuration
sudo tar -czf apparmor_backup_$(date +%Y%m%d).tar.gz /etc/apparmor.d/
# SELinux configuration structure
ls -la /etc/selinux/
# Main config: /etc/selinux/config
# Policy files: /etc/selinux/targeted/
# Contexts: /etc/selinux/targeted/contexts/
# Backup SELinux configuration
sudo tar -czf selinux_backup_$(date +%Y%m%d).tar.gz /etc/selinux/
What AppArmor vs SELinux Security Models Work Best?
Security model effectiveness in implementations depends on threat landscape, compliance requirements, and organizational security policies. Therefore, matching security models to specific use cases ensures optimal protection while maintaining operational efficiency.
Application Confinement Strategies
Confinement approaches provide different levels of application isolation and system protection. Additionally, understanding confinement mechanisms helps design appropriate security boundaries for various application types.
# AppArmor application confinement example
# Web server profile with restricted access
sudo tee /etc/apparmor.d/usr.sbin.nginx << 'EOF'
/usr/sbin/nginx {
# Required capabilities
capability setuid,
capability setgid,
capability net_bind_service,
# File system access
/var/www/html/** r,
/var/log/nginx/** w,
/etc/nginx/** r,
/run/nginx.pid rw,
# Network access
network inet stream,
network inet6 stream,
# Deny dangerous operations
deny /etc/passwd r,
deny /etc/shadow r,
deny capability sys_admin,
deny capability dac_override,
}
EOF
# Load and enforce profile
sudo apparmor_parser -r /etc/apparmor.d/usr.sbin.nginx
sudo aa-enforce /usr/sbin/nginx
SELinux Type Enforcement Security
SELinux type enforcement provides comprehensive system-wide security through detailed labeling and access control matrices. Moreover, SELinux security models support complex enterprise environments with granular permission requirements.
# SELinux web server security configuration
# Check httpd security contexts
ps -eZ | grep httpd
ls -Z /var/www/html/
# Configure custom web directory
sudo semanage fcontext -a -t httpd_sys_content_t "/custom/web(/.*)?"
sudo restorecon -R /custom/web
# Enable specific httpd capabilities
sudo setsebool -P httpd_can_network_connect on
sudo setsebool -P httpd_use_nfs on
# Create custom SELinux user
sudo semanage user -a -R "webadmin_r system_r" webadmin_u
sudo semanage login -a -s webadmin_u webmaster
# Verify type enforcement rules
sesearch -A -s httpd_t -t httpd_sys_content_t
How Does AppArmor vs SELinux Administrative Overhead Compare?
Administrative complexity significantly impacts operational costs and staff training requirements. Furthermore, understanding maintenance overhead helps organizations allocate appropriate resources for MAC system management and support.
Daily Administrative Tasks
Routine maintenance tasks differ substantially in complexity and time requirements. Therefore, comparing administrative workflows enables accurate resource planning and skill development strategies.
# AppArmor daily management tasks
# Check system status (simple)
sudo aa-status
# Update profiles after application changes
sudo aa-logprof # Interactive profile tuning
# Handle profile violations
sudo aa-complain problematic_app
# Run application and collect data
sudo aa-logprof
sudo aa-enforce problematic_app
# Profile backup and restore
sudo cp /etc/apparmor.d/modified.profile /backup/
sudo systemctl restart apparmor
# SELinux daily management tasks
# Check system status (detailed)
sestatus
sudo aureport -a
# Handle AVC denials
sudo ausearch -m avc --start today
sudo ausearch -m avc --start today --raw | audit2allow -M temp_policy
sudo semodule -i temp_policy.pp
# Boolean management
getsebool -a | grep service_name
sudo setsebool -P boolean_name on
Troubleshooting Complexity
Troubleshooting issues requires different skill levels and diagnostic approaches. Additionally, problem resolution complexity affects incident response times and system reliability.
# AppArmor troubleshooting workflow
# Simple profile issues
sudo dmesg | grep -i apparmor
sudo journalctl -u apparmor
# Profile syntax checking
sudo apparmor_parser -p /etc/apparmor.d/profile_name
# Generate profile from scratch if needed
sudo aa-genprof /problematic/application
# SELinux troubleshooting workflow
# Complex denial analysis
sudo sealert -a /var/log/audit/audit.log
sudo ausearch -m avc --start today | audit2why
# Context restoration
sudo restorecon -R -v /affected/directory
sudo fixfiles onboot # Schedule full relabeling
# Policy debugging
sudo semodule -DB # Disable dontaudit rules
sudo setenforce 0 # Temporary permissive mode
What AppArmor vs SELinux Migration Strategies Exist?
Migration planning between systems requires careful consideration of compatibility, downtime, and configuration transfer challenges. Moreover, successful migration strategies minimize security gaps while ensuring continuous system protection.
Migration Assessment Framework
AppArmor vs SELinux migration feasibility depends on application compatibility, existing security policies, and organizational requirements. Therefore, comprehensive assessment prevents migration failures and ensures security continuity.
# Pre-migration assessment script
#!/bin/bash
echo "=== MAC System Migration Assessment ==="
# Check current MAC system
if getenforce &>/dev/null; then
echo "Current: SELinux ($(getenforce))"
CURRENT_MAC="selinux"
elif aa-status &>/dev/null; then
echo "Current: AppArmor"
CURRENT_MAC="apparmor"
else
echo "Current: No MAC system"
CURRENT_MAC="none"
fi
# Assess application compatibility
echo "=== Application Analysis ==="
systemctl list-units --type=service --state=active | grep -v "@"
# Check custom configurations
if [[ $CURRENT_MAC == "selinux" ]]; then
echo "Custom SELinux policies:"
semodule -l | grep -v "^selinux"
echo "Modified booleans:"
semanage boolean -l -C
elif [[ $CURRENT_MAC == "apparmor" ]]; then
echo "Custom AppArmor profiles:"
ls /etc/apparmor.d/ | grep -v abstractions
fi
# Resource usage baseline
echo "=== Resource Usage ==="
ps aux --sort=-%mem | head -10
Step-by-Step Migration Process
Structured migration requires phased implementation with rollback capabilities and comprehensive testing. Additionally, proper migration procedures ensure minimal service disruption and maintained security posture.
# Migration from AppArmor to SELinux
# Phase 1: Preparation
sudo apt install selinux-utils selinux-basics
# Phase 2: Backup current configuration
sudo tar -czf apparmor_backup_$(date +%Y%m%d).tar.gz /etc/apparmor.d/
sudo aa-status > apparmor_status_backup.txt
# Phase 3: Document current profiles
for profile in /etc/apparmor.d/*; do
echo "=== $profile ===" >> migration_notes.txt
sudo aa-status | grep $(basename $profile) >> migration_notes.txt
done
# Phase 4: Gradual transition
sudo selinux-activate
# Reboot required - plan maintenance window
# Migration from SELinux to AppArmor
# Phase 1: Assessment
sestatus > selinux_status_backup.txt
semodule -l > selinux_policies_backup.txt
getsebool -a > selinux_booleans_backup.txt
# Phase 2: Install AppArmor
sudo apt install apparmor apparmor-utils
# Phase 3: Create equivalent profiles
# Manual process - no automated conversion available
How Should You Choose Between AppArmor vs SELinux for Your Environment?
Decision criteria for selection should align with organizational capabilities, security requirements, and operational constraints. Furthermore, systematic evaluation ensures MAC system choice supports long-term security objectives while maintaining operational efficiency.
Decision Matrix Framework
Structured evaluation options using weighted criteria provides objective selection guidance. Therefore, systematic assessment reduces subjective bias and ensures comprehensive consideration of all relevant factors.
| Evaluation Criteria | Weight | AppArmor Score | SELinux Score | Weighted Score |
|---|---|---|---|---|
| Ease of Implementation | 20% | 9/10 | 4/10 | 1.8 vs 0.8 |
| Security Granularity | 25% | 6/10 | 10/10 | 1.5 vs 2.5 |
| Distribution Support | 15% | 8/10 | 9/10 | 1.2 vs 1.35 |
| Administrative Overhead | 20% | 8/10 | 4/10 | 1.6 vs 0.8 |
| Enterprise Features | 10% | 6/10 | 9/10 | 0.6 vs 0.9 |
| Community Support | 10% | 7/10 | 8/10 | 0.7 vs 0.8 |
# Environment assessment script
#!/bin/bash
echo "=== AppArmor vs SELinux Decision Assessment ==="
# Check distribution compatibility
DISTRO=$(lsb_release -si 2>/dev/null || echo "Unknown")
echo "Distribution: $DISTRO"
case $DISTRO in
"Ubuntu"|"Debian")
echo "Recommendation: AppArmor (native support)"
DISTRO_SCORE="apparmor+2"
;;
"RedHat"|"CentOS"|"Fedora")
echo "Recommendation: SELinux (native support)"
DISTRO_SCORE="selinux+2"
;;
*)
echo "Both options available"
DISTRO_SCORE="neutral"
;;
esac
# Assess team expertise
echo -e "\nExpertise Assessment:"
echo "Rate your team's Linux security expertise (1-10): "
# Interactive assessment would go here
# Check compliance requirements
echo -e "\nCompliance Requirements:"
echo "- Common Criteria certification needed: SELinux advantage"
echo "- Simple compliance reporting: AppArmor advantage"
echo "- FIPS 140-2 compliance: SELinux required"
Implementation Recommendations
Targeted recommendations for AppArmor vs SELinux selection based on common organizational scenarios and requirements. Additionally, implementation guidance provides practical next steps for successful MAC system deployment.
# Scenario-based implementation guide
# Scenario 1: Small Business/Startup
cat << 'EOF' > small_business_guide.md
## AppArmor for Small Business
β
**Recommended**: AppArmor
- Lower learning curve
- Simpler maintenance
- Ubuntu/Debian ecosystem fit
- Cost-effective administration
Implementation:
1. sudo apt install apparmor-utils
2. sudo aa-enforce /etc/apparmor.d/*
3. Monitor logs and adjust profiles
EOF
# Scenario 2: Enterprise/Government
cat << 'EOF' > enterprise_guide.md
## SELinux for Enterprise
β
**Recommended**: SELinux
- Comprehensive security controls
- Audit trail capabilities
- Compliance certification
- RHEL ecosystem integration
Implementation:
1. Plan 3-6 month deployment
2. Staff training program
3. Pilot environment testing
4. Gradual production rollout
EOF
# Scenario 3: Mixed Environment
cat << 'EOF' > mixed_environment_guide.md
## Mixed MAC Environment
β
**Strategy**: Distribution-aligned approach
- RHEL/CentOS: SELinux
- Ubuntu/Debian: AppArmor
- Standardized monitoring tools
- Unified policy management
Implementation:
1. Inventory system distributions
2. Implement native MAC systems
3. Centralized log collection
4. Cross-training for administrators
EOF
FAQ: Frequently Asked Questions
Q: Can I run both simultaneously on the same system? A: No, systems are mutually exclusive as both implement Linux Security Module (LSM) framework hooks. However, you can switch between them with system reconfiguration and reboot procedures, though this requires careful planning and testing.
Q: Which is better for beginners: AppArmor vs SELinux? A: AppArmor vs SELinux for beginners clearly favors AppArmor due to its intuitive path-based configuration and human-readable profiles. Additionally, AppArmor’s learning tools and simpler troubleshooting make it more accessible for administrators new to mandatory access controls.
Q: How does performance compare in AppArmor vs SELinux implementations? A: Performance generally shows AppArmor with lower overhead due to simpler path-based checks versus SELinux’s complex label-based operations. However, performance differences are typically minimal in well-tuned production environments with properly configured policies.
Q: Can I migrate policies directly? A: Direct policy migration is not possible due to fundamental architectural differences. Instead, migration requires manual policy recreation based on application requirements and security objectives, making it a significant undertaking requiring careful planning.
Q: Which provides better enterprise support? A: Enterprise support varies by vendor, with Red Hat providing extensive SELinux support and Canonical/SUSE supporting AppArmor. However, SELinux generally offers more comprehensive audit capabilities and compliance certifications required in enterprise environments.
Troubleshooting Section: Common AppArmor vs SELinux Issues
Profile/Policy Conflicts After Migration
# Problem: Applications fail after MAC system change
# AppArmor Solution:
sudo aa-complain /usr/bin/problematic-app
# Run application to generate profile
sudo aa-logprof
sudo aa-enforce /usr/bin/problematic-app
# SELinux Solution:
sudo ausearch -m avc --start today --raw | audit2allow -M temp_fix
sudo semodule -i temp_fix.pp
Distribution Compatibility Issues
# Problem: MAC system not available on distribution
# Check available packages:
apt search apparmor selinux # Debian/Ubuntu
yum search apparmor selinux # RHEL/CentOS
# Alternative: Use distribution-native MAC system
# Don't force incompatible MAC systems
Performance Degradation After Implementation
# Problem: System slowdown after MAC activation
# AppArmor diagnosis:
sudo aa-status
sudo aa-unconfined # Find unconfined processes
# SELinux diagnosis:
sudo getenforce
sudo selinux-policy-info # Check policy efficiency
Policy Development Challenges
# Problem: Complex application requirements
# AppArmor approach: Incremental development
sudo aa-genprof /usr/bin/complex-app
sudo aa-complain /usr/bin/complex-app
# Test all application features
sudo aa-logprof
# SELinux approach: Comprehensive analysis
sudo audit2allow -w -a < /var/log/audit/audit.log
# Review suggested policies carefully
Administrative Training Gaps
# Problem: Team lacks MAC system expertise
# Assessment:
echo "Current MAC system: $(getenforce 2>/dev/null || aa-status 2>/dev/null)"
# Provide targeted training based on implemented system
# Consider gradual implementation with expert consultation
Additional Resources
Official MAC Documentation
- Ubuntu AppArmor Documentation – Comprehensive guidance for Ubuntu environments with practical implementation examples
- Red Hat SELinux User Guide – Enterprise-focused comparison with detailed SELinux implementation strategies
- SUSE AppArmor Administration Guide – Advanced configuration techniques and troubleshooting procedures
MAC System Tools and Utilities
- AppArmor Utilities Documentation – Complete toolset comparison and usage examples
- SELinux Policy Management – Open-source development resources and policy creation tools
- Linux Security Module Framework – Technical foundation implementations
Community Resources and Support
- AppArmor Mailing Lists – Community discussions about implementations and best practices
- SELinux User Community – Enterprise-focused discussions and troubleshooting support
- Linux Security Community Forums – General comparison discussions and implementation guidance
Next Steps: Evaluate your specific requirements using the decision framework, implement the chosen MAC system in a test environment, and develop organizational policies for ongoing management. Furthermore, establish monitoring procedures and staff training programs to ensure successful long-term implementation.
Related Topics: Linux Security Hardening, SELinux Troubleshooting, Linux Server Security
Related Guides
Continue your Linux learning journey
Automated Intrusion Prevention System – Fail2ban Complete Setup
Understanding Linux File System Hierarchy
