On 12/20/23 14:36, Lew Wolfgang wrote:
On 12/20/23 11:02, Joe Salmeri wrote:
On 12/20/23 04:40, Johannes Segitz wrote:
I realize that Tumbleweed supports both Apparmor and SELinux. I have not installed Aeon or Kalpa, but it sounds like SELinux is the default. In terms of security contributions to Tumbleweed (and its downstreams), is their a general preference toward one or the other MAC's? SUSE will be moving to SELinux over time. I can't speak for the openSUSE
On Tue, Dec 19, 2023 at 07:09:43PM -0500, Tony Walker wrote: project overal, but everything we consume from SUSE will use SELinux going forward, so I expect that openSUSE will head in a general direction.
Johannes
When that happens will existing installs using Apparmor be migrated to SELinux ?
If I can jump in here, I don't think it's practical to port Apparmor controls to SELinux. SELinux is much more complicated and comprehensive than Apparmor, if I'm not mistaken. I remember looking at this years ago and the consensus then was that while SELinux does a better job than Apparmor, it can do that only if it's properly configured and maintained. It was difficult enough that many admins didn't do it correctly, meaning that the simpler-to-run Apparmor gives better net security in practice.
That being said, SELinux is more accepted, if not required, by large organizations like the US Department of Defense, for Linux hosts.
Regards, Lew
When I installed TW ( originally years ago ) and then again on the new PC I built last month, it installed Apparmour both times by default. I have not done anything with the Apparmour config other than let TW update what it needs to when I do the zypper dup. If a new TW install some day starts to install SELinux by default, it would be nice if older installs would be migrated to SELinux as part of the update process. At a minimum it would seem that at least some wiki article should be provided for how to do it, but it seems like if the end user hasn't changed anything from the default Apparmour setup that some migration process would be appropriate. I'm sure many would not know how to migrate... -- Regards, Joe