One question and some unfollowable advice.

Question: Why not use AppArmor? My understanding is that’s what Debian uses by default instead of Selinux which is more native to Enterprise Linux (Fedora, RHEL, Rocky, Alma etc).

Unfollowable advice: As an EL admin where it’s the default and very closely integrated, we have a saying; “It’s not always dns, mostly it’s Selinux”. For most distro-sourced software, it’s fine. But if you install software from other sources, you’re going to hit problems.

Others have given good reasons to your specific questions, but one tip if you go down this route. We use a redhat tool, “setroubleshoot-server” which helps hugely in both identifying when something isn’t working because SELinux has blocked it, but also gives you the commands to add an explicit rule to allow it, so you can view the log, understand why it’s blocking, and allow it without needing to get too involved with the complicated file contexts.

Sadly, it looks like this tool isn’t available in Debian, which would seem to make like a lot harder using selinux. Familiar as I am with selinux, I don’t run it on my personal servers or this laptop, which are Debian.