https://bugzilla.suse.com/show_bug.cgi?id=1230118 Bug ID: 1230118 Summary: [SELinux] Select SELinux as default MAC in enforcing mode in the tumbleweed installer Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: cathy.hu@suse.com Reporter: cathy.hu@suse.com QA Contact: security-team@suse.de Target Milestone: --- Found By: --- Blocker: --- just pasting the email to factory as reference: RFC: SELinux as default MAC system on new Tumbleweed installations SELinux is being adopted more and more as the main Mandatory Access Control (MAC) system in openSUSE distributions and SUSE products. The SUSE SELinux working group would like to announce the plan to switch new Tumbleweed installations to SELinux as default MAC system *by the end of this year*. Currently, new Tumbleweed installations select AppArmor in the installer as default MAC system. After this change, new Tumbleweed installations will select SELinux in enforcing mode as default MAC system. Users will still be able to select AppArmor as MAC system in the installer. Existing installations will *not* be affected. If you would like to migrate your existing system from AppArmor to SELinux, we have a guide on what to consider and how to do that here [0]. *What does it mean for users?* Our SELinux policy contains many policy modules, which confine most well-known services. Switching to SELinux means more services are confined by default, which means enhanced security. On the other hand, more confinement also means that in the early phase of the adoption there could be more bugs caused by SELinux denying legitimate accesses. We perform both manual and automated tests via openQA, to ensure that our policy works seamlessly. We also rely on you, the community, to create bugreports so that we can adapt the policy to any scenarios that we did not foresee. We have a page on how to report bugs here: https://en.opensuse.org/openSUSE:Bugreport_SELinux To learn more about SELinux, we also have a Portal in the openSUSE wiki: https://en.opensuse.org/Portal:SELinux Please feel free to reply to this email in case you have any questions or concerns. We plan to do the change earliest in September 2024, and latest by the end of the year. Separate announcements will follow just before and after the change. TL;DR: - The Tumbleweed installer will select SELinux in enforcing mode as default on new installations - When: by the end of 2024, earliest in September, we will do separate announcements before and after - AppArmor can still be selected in the installer as an alternative - Existing installations will *not* change - Leap 15.x is not affected in any way [0] https://en.opensuse.org/Portal:SELinux/Setup#Setup_SELinux_on_existing_tumbl... -- You are receiving this mail because: You are on the CC list for the bug.