I will have to ask the kernel team what they think about that and if we can consider that, adding Jiri to the thread as the tumbleweed kernel maintainer and the kernel mailing list for SLFO. For SLFO/ALP, this is not set yet as far as I can see (I might be wrong, I'm not a kernel dev) https://github.com/openSUSE/kernel-source/blob/ALP-current/config/x86_64/def... @kernel peoples, what do you think? Thanks :) On Fri, 2024-07-19 at 11:24 -0400, Neal Gompa wrote:
On Fri, Jul 19, 2024 at 10:28 AM Cathy Hu <cahu@suse.de> wrote:
I'm excited about this change, personally. :)
yay :)
Does this mean the kernel config will change so that CONFIG_DEFAULT_SECURITY_SELINUX=y will be set instead of CONFIG_DEFAULT_SECURITY_APPARMOR=y? That is, I don't need to set "selinux=1" in the kernel commandline anymore for new setups? I would really like that to be included in this change...
So far our plan is that we will *not* change the kernel config. We will only change the default MAC setting in the installer to SELinux. The installer will then take care of setting the kernel command line in your bootloader for you, so no need to manually set selinux=1 then.
Hope that helps, let me know if it doesn't :)
Is this at least happening for the SFO/ALP kernels? Eventually I'd like to see this in Tumbleweed too.
Regardless, a bunch of us are using configurations of openSUSE not made by an installer, so having these defaults handled in the kconfig ensures the right things happen out of the box for first party, second party, and third party folks.
-- Cathy Hu <cahu@suse.de> SELinux Security Engineer GPG: 5873 CFD1 8C0E A6D4 9CBB F6C4 062A 1016 1505 A08A SUSE Software Solutions Germany GmbH Frankenstrasse 146 90461 Nürnberg Geschäftsführer: Ivo Totev, Andrew McDonald, Werner Knoblich (HRB 36809, AG Nürnberg)