Linux – Are there other LSM (Linux Security Modules) in addition to SELinux and AppArmor

AppArmour is usually thought to be simpler than SELinux. SELinux is quite complex and may be used even in military applications while AppArmour tends to be simpler. SELinux operates on i-node level (i.e. restrictions are applied in the same way as ACL or UNIX permissions - on the other hand ) while AppArmour apply at path level (i.e. you specify the access based on path so when path changes it may not apply). AppArmour can also protect subproccesses (like mod_php only) but I am somehow skeptical about the real use of it. AppArmour seems to find its way into mainline kernel (it is in -mm IIRC).

I don't know much about SMACK but it looks like simplified SELinux from description. There is also RSBAC if you would like to look at it.

chroot has a limited scope of use and I don't think it would be much of use in a desktop environment (it can be used to separate daemons from access of whole system - like DNS daemon).

For sure, it is worth to apply 'generic' hardening such as PaX, -fstack-protector etc. Chroot you can use when your distro supports so does AppArmour/SELinux. I guess SELinux is better suited for high security areas (it has much better control over system) and AppArmour is better for simple hardening.

In general, I wouldn't bother to harden generic desktop very much, except switching off unused services, update regularly, etc. unless you work in highly-secured area. If you want to secure anyway, I would use what your distro is supporting. Many of them to be effective needs the application support (for e.x. compiling tools to support attributes, written rules) so I would advise to use what your distro is supporting.

Yes you can check /sys/kernel/security what's available.

See also dmesg or /proc/cmdline for boot settings.

If your config.gz available then

zgrep CONFIG_SECURITY /proc/config.gz

else

grep CONFIG_SECURITY /boot/config-`uname -r`