On Fri, Jul 19, 2024 at 2:45 AM Cathy Hu <cahu@suse.de> wrote:
Hi all,
*see TL;DR down below*
SELinux is being adopted more and more as the main Mandatory Access Control (MAC) system in openSUSE distributions and SUSE products. The SUSE SELinux working group would like to announce the plan to switch new Tumbleweed installations to SELinux as default MAC system *by the end of this year*.
Currently, new Tumbleweed installations select AppArmor in the installer as default MAC system. After this change, new Tumbleweed installations will select SELinux in enforcing mode as default MAC system. Users will still be able to select AppArmor as MAC system in the installer.
Existing installations will *not* be affected. If you would like to migrate your existing system from AppArmor to SELinux, we have a guide on what to consider and how to do that here [0].
*What does it mean for users?* Our SELinux policy contains many policy modules, which confine most well-known services. Switching to SELinux means more services are confined by default, which means enhanced security. On the other hand, more confinement also means that in the early phase of the adoption there could be more bugs caused by SELinux denying legitimate accesses.
We perform both manual and automated tests via openQA, to ensure that our policy works seamlessly. We also rely on you, the community, to create bugreports so that we can adapt the policy to any scenarios that we did not foresee. We have a page on how to report bugs here: https://en.opensuse.org/openSUSE:Bugreport_SELinux
To learn more about SELinux, we also have a Portal in the openSUSE wiki: https://en.opensuse.org/Portal:SELinux
Please feel free to reply to this email in case you have any questions or concerns. We plan to do the change earliest in September 2024, and latest by the end of the year. Separate announcements will follow just before and after the change.
TL;DR: - The Tumbleweed installer will select SELinux in enforcing mode as default on new installations - When: by the end of 2024, earliest in September, we will do separate announcements before and after - AppArmor can still be selected in the installer as an alternative - Existing installations will *not* change - Leap 15.x is not affected in any way
Thank you very much :)
Kind regards,
Cathy
[0] https://en.opensuse.org/Portal:SELinux/Setup#Setup_SELinux_on_existing_tumbl...
I'm excited about this change, personally. :) Does this mean the kernel config will change so that CONFIG_DEFAULT_SECURITY_SELINUX=y will be set instead of CONFIG_DEFAULT_SECURITY_APPARMOR=y? That is, I don't need to set "selinux=1" in the kernel commandline anymore for new setups? I would really like that to be included in this change... -- 真実はいつも一つ!/ Always, there's only one truth!