On 22. 07. 24, 9:15, Cathy Hu wrote:
I will have to ask the kernel team what they think about that and if we can consider that, adding Jiri to the thread as the tumbleweed kernel maintainer and the kernel mailing list for SLFO.
For SLFO/ALP, this is not set yet as far as I can see (I might be wrong, I'm not a kernel dev) https://github.com/openSUSE/kernel-source/blob/ALP-current/config/x86_64/def...
@kernel peoples, what do you think?
Thanks :)
On Fri, 2024-07-19 at 11:24 -0400, Neal Gompa wrote:
On Fri, Jul 19, 2024 at 10:28 AM Cathy Hu <cahu@suse.de> wrote:
I'm excited about this change, personally. :)
yay :)
Does this mean the kernel config will change so that CONFIG_DEFAULT_SECURITY_SELINUX=y will be set instead of CONFIG_DEFAULT_SECURITY_APPARMOR=y? That is, I don't need to set "selinux=1" in the kernel commandline anymore for new setups? I would really like that to be included in this change...
So far our plan is that we will *not* change the kernel config. We will only change the default MAC setting in the installer to SELinux. The installer will then take care of setting the kernel command line in your bootloader for you, so no need to manually set selinux=1 then.
Hope that helps, let me know if it doesn't :)
Is this at least happening for the SFO/ALP kernels? Eventually I'd like to see this in Tumbleweed too.
Regardless, a bunch of us are using configurations of openSUSE not made by an installer, so having these defaults handled in the kconfig ensures the right things happen out of the box for first party, second party, and third party folks.
To be honest, I don't test our default config, as I set security=selinux selinux=1 on all my test systems. So I'm definitely NOT against switching the default to selinux... In my opinion, we should at least try and see what breaks (in openQA, on users' side). We will have to do it once in the future anyway. Who does deliberately use apparmor these days anyway? thanks, -- js suse labs