Hi all, *see TL;DR down below* SELinux is being adopted more and more as the main Mandatory Access Control (MAC) system in openSUSE distributions and SUSE products. The SUSE SELinux working group would like to announce the plan to switch new Tumbleweed installations to SELinux as default MAC system *by the end of this year*. Currently, new Tumbleweed installations select AppArmor in the installer as default MAC system. After this change, new Tumbleweed installations will select SELinux in enforcing mode as default MAC system. Users will still be able to select AppArmor as MAC system in the installer. Existing installations will *not* be affected. If you would like to migrate your existing system from AppArmor to SELinux, we have a guide on what to consider and how to do that here [0]. *What does it mean for users?* Our SELinux policy contains many policy modules, which confine most well-known services. Switching to SELinux means more services are confined by default, which means enhanced security. On the other hand, more confinement also means that in the early phase of the adoption there could be more bugs caused by SELinux denying legitimate accesses. We perform both manual and automated tests via openQA, to ensure that our policy works seamlessly. We also rely on you, the community, to create bugreports so that we can adapt the policy to any scenarios that we did not foresee. We have a page on how to report bugs here: https://en.opensuse.org/openSUSE:Bugreport_SELinux To learn more about SELinux, we also have a Portal in the openSUSE wiki: https://en.opensuse.org/Portal:SELinux Please feel free to reply to this email in case you have any questions or concerns. We plan to do the change earliest in September 2024, and latest by the end of the year. Separate announcements will follow just before and after the change. TL;DR: - The Tumbleweed installer will select SELinux in enforcing mode as default on new installations - When: by the end of 2024, earliest in September, we will do separate announcements before and after - AppArmor can still be selected in the installer as an alternative - Existing installations will *not* change - Leap 15.x is not affected in any way Thank you very much :) Kind regards, Cathy [0] https://en.opensuse.org/Portal:SELinux/Setup#Setup_SELinux_on_existing_tumbl... -- Cathy Hu <cahu@suse.de> SELinux Security Engineer GPG: 5873 CFD1 8C0E A6D4 9CBB F6C4 062A 1016 1505 A08A SUSE Software Solutions Germany GmbH Frankenstrasse 146 90461 Nürnberg Geschäftsführer: Ivo Totev, Andrew McDonald, Werner Knoblich (HRB 36809, AG Nürnberg)