On Wed, Dec 20, 2023, 2:37 PM Lew Wolfgang <wolfgang@sweet-haven.com> wrote:
On 12/20/23 11:02, Joe Salmeri wrote:
On 12/20/23 04:40, Johannes Segitz wrote:
I realize that Tumbleweed supports both Apparmor and SELinux. I have not installed Aeon or Kalpa, but it sounds like SELinux is the default. In terms of security contributions to Tumbleweed (and its downstreams), is their a general preference toward one or the other MAC's? SUSE will be moving to SELinux over time. I can't speak for the openSUSE
On Tue, Dec 19, 2023 at 07:09:43PM -0500, Tony Walker wrote: project overal, but everything we consume from SUSE will use SELinux going forward, so I expect that openSUSE will head in a general direction.
Johannes
When that happens will existing installs using Apparmor be migrated to SELinux ?
If I can jump in here, I don't think it's practical to port Apparmor controls to SELinux. SELinux is much more complicated and comprehensive than Apparmor, if I'm not mistaken. I remember looking at this years ago and the consensus then was that while SELinux does a better job than Apparmor, it can do that only if it's properly configured and maintained. It was difficult enough that many admins didn't do it correctly, meaning that the simpler-to-run Apparmor gives better net security in practice.
That being said, SELinux is more accepted, if not required, by large organizations like the US Department of Defense, for Linux hosts.
Regards, Lew
My experience is similar and why I have used AppArmor over the years. I am happy to learn more about SELinux. I just don't want to do both. What prompted my question is a talk or post by Mr. Brown where he said he needed help building SELinux support into Aeon.