Announcement: SELinux as default MAC system on new Tumbleweed installations

Hi all, We would like to announce that with the next openSUSE Tumbleweed snapshot 20250211 the default mandatory access control (MAC) system selected by the installer will be switched from AppArmor to SELinux in enforcing mode. Additionally, the openSUSE Tumbleweed minimalVM will be shipped with SELinux in enforcing mode. Users installing openSUSE Tumbleweed via the ISO image will see SELinux in enforcing mode as default option in the installer. If the user prefers to use AppArmor instead of SELinux, they are able to change the selection to AppArmor manually in the installer. AppArmor continues to be excellently maintained by Christian Boltz (@cboltz) exactly as before. Existing installations using AppArmor will *not* be migrated. In case the user wishes to migrate manually to SELinux, a guide [0] is provided on the openSUSE wiki. Leap 15.x is not affected by this change in any way and will stay with AppArmor. For broader context, please refer to: - "RFC: SELinux as default MAC system on new Tumbleweed installations" sent to this list on 2024-07-19. - "Progress Update: SELinux as default MAC system on new Tumbleweed installations" sent to this list on 2024-12-21. We have tested the change manually and automatically via openQA. However, if you encounter any issues that could be related to SELinux, please feel encouraged to open a bug as it is really helpful to us: https://en.opensuse.org/openSUSE:Bugreport_SELinux To learn more about SELinux, you can visit the SELinux wiki page: https://en.opensuse.org/Portal:SELinux Thanks a lot to all the people in different teams who helped us achieve this change, especially Fabian Vogt, Dominique Leuenberger, Ana Guerrero Lopez, Douglas DeMaio, all the people from the openQA qe-core, qe-container, qe-security teams and the SELinux group! Kind regards, Cathy [0] https://en.opensuse.org/Portal:SELinux/Setup#Setup_SELinux_on_existing_Tumbl... -- Cathy Hu <cahu@suse.de> SELinux Security Engineer GPG: 5873 CFD1 8C0E A6D4 9CBB F6C4 062A 1016 1505 A08A SUSE Software Solutions Germany GmbH Frankenstrasse 146 90461 Nürnberg Geschäftsführer: Ivo Totev, Andrew McDonald, Werner Knoblich (HRB 36809, AG Nürnberg)

On 2/12/25 11:04 AM, Cathy Hu wrote:
Hi Cathy, Congratulations on achieving your goal ! My test TW system which was manually migrated to SELinux has worked well and only had one package issue which has been fixed. When you said existing installations will *not* be migrated, did you mean will *never* be migrated unless we manually migrate them OR did you just mean that nothing is in place to migrate them right now ? -- Regards, Joe

I think it was a bad move. From my previous experience with RHEL, SELinux is unmanageable by the regular user. If the user does not find a proper fix to this problem, they just put SELinux in permissive mode or even worse, disabled and never think about it again. I would like to know if this issue has been sufficiently discussed with the user community (not just among devs) and if there is any reason, in addition to following the trend, that motivated this decision. What are the problems with AppArmour that SELinux will solve/fix ?

Op donderdag 13 februari 2025 18:11:33 Midden-Europese standaardtijd schreef Miguel Rozsas:
No idea who/what message you are quoting here
They will learn soon enough.
Please no. Development is not some kind of democracy process. Every litle change would take ages of discussions with people that have no indepth knowledge, yet do have opinions, to implement if it was.
What are the problems with AppArmour that SELinux will solve/fix ?
I think the wiki and project webpages provide that info. -- Gertjan Lettink a.k.a. Knurpht openSUSE Forums Team openSUSE Mods Team

On Thu, Feb 13, 2025 at 12:45 PM Knurpht-openSUSE <knurpht@opensuse.org> wrote:
This was also discussed last year in depth: https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/Y... To put it simply: SELinux has a larger community, it is better accepted for higher security environments, and it has a much better upstream development story. It was first proven out with openSUSE MicroOS with Richard and myself doing the initial enablement work. I also wound up daily driving it for Tumbleweed for some time and worked with some of the security folks to resolve stuff I discovered. Overall, the experience is fairly good these days. I've been a daily driver of SELinux on my openSUSE machines for five years now with great success and no real issues cropping up (KDE Plasma on Wayland, regular workload including gaming and software development, etc.). -- 真実はいつも一つ!/ Always, there's only one truth!

On 2/13/25 12:53 PM, Neal Gompa wrote:
Hi Neal, I followed the instructions from this link to switch from apparmor to selinux on a test system: https://en.opensuse.org/Portal:SELinux/Setup#Setup_SELinux_on_existing_tumbl... Overall everything has worked, with one exception which was addressed by an update to the selinux policies. Did you have to do anything else to switch other than those steps ? Thanks ! -- Regards, Joe

Hey! I also came across the following article which talks how to troubleshoot if an issue is affected by SELinux setup. https://documentation.suse.com/en-us/sle-micro/6.0/html/Micro-setroubleshoot... After enrolling SELinux from AppArmor manually by following the instruction, I found my ClamAV On-Accessing Scanning setup was not working as expected. I found the tool setroubleshoot helpful as well as ClamAV documentation. https://docs.clamav.net/manual/Usage/Configuration.html#configure-selinux-fo... Just wanted to share my experience :-). Thank you all! Sutha

13.02.2025 20:45, Knurpht-openSUSE wrote:
Are you kidding? You are not aware that mailers escape lines starting with From since the very beginning?
No, they won't. SELinux is extremely complicated, tools needed to inspect the current policy are not even installed by default. If with AppArmor users can disable the single profile that is causing troubles leaving all others in enforcing mode, with SELinux it will be all or nothing from practical point of view.

Miguel Rozsas wrote:
I totally agree with you. When I saw the announcement, I hastily migrated from AppArmor by following the provided guide [0]. I was like, okay, this will be the new default, and since I've got an already installed system, I always do everything as it comes out to avoid forgetting in the future. However, I’ve already faced a few bottlenecks with SELinux, one of which is its complexity. While AppArmor has its separate YaST GUI, SELinux has no GUI by default, except for Cockpit (more on this later). My biggest problem was that suddenly all my games through Lutris got blocked because of the .exe files and such. Everything that worked before with AppArmor, out of the box, now stopped working. If it weren’t for my knowledge and sheer luck a couple of weeks ago—learning that even YaST is being removed soon and Cockpit will take its place—I wouldn’t have known how to manage SELinux. Thanks to Cockpit, I was able to "unblock" the programs because it has a nifty built-in tool that tells me what to type into the terminal. But if it weren’t for Cockpit, how would a regular user (like myself) without knowledge of a proper SELinux front-end handle these kinds of issues? So, I also think that this switch was too sudden. However, if we—the userbase—could get some official suggestions from the openSUSE team on how to use SELinux, or if Cockpit is the recommended way, I’d appreciate an official statement somewhere on the news page. A proper guide on how to manage this MAC properly and SAFELY without nuking the distro or locking ourselves out would be incredibly helpful. [0] https://en.opensuse.org/Portal:SELinux/Setup#Setup_SELinux_on_existing_Tumbl...

On 2/12/25 11:04 AM, Cathy Hu wrote:
Hi Cathy, Congratulations on achieving your goal ! My test TW system which was manually migrated to SELinux has worked well and only had one package issue which has been fixed. When you said existing installations will *not* be migrated, did you mean will *never* be migrated unless we manually migrate them OR did you just mean that nothing is in place to migrate them right now ? -- Regards, Joe

I think it was a bad move. From my previous experience with RHEL, SELinux is unmanageable by the regular user. If the user does not find a proper fix to this problem, they just put SELinux in permissive mode or even worse, disabled and never think about it again. I would like to know if this issue has been sufficiently discussed with the user community (not just among devs) and if there is any reason, in addition to following the trend, that motivated this decision. What are the problems with AppArmour that SELinux will solve/fix ?

Op donderdag 13 februari 2025 18:11:33 Midden-Europese standaardtijd schreef Miguel Rozsas:
No idea who/what message you are quoting here
They will learn soon enough.
Please no. Development is not some kind of democracy process. Every litle change would take ages of discussions with people that have no indepth knowledge, yet do have opinions, to implement if it was.
What are the problems with AppArmour that SELinux will solve/fix ?
I think the wiki and project webpages provide that info. -- Gertjan Lettink a.k.a. Knurpht openSUSE Forums Team openSUSE Mods Team

On Thu, Feb 13, 2025 at 12:45 PM Knurpht-openSUSE <knurpht@opensuse.org> wrote:
This was also discussed last year in depth: https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/Y... To put it simply: SELinux has a larger community, it is better accepted for higher security environments, and it has a much better upstream development story. It was first proven out with openSUSE MicroOS with Richard and myself doing the initial enablement work. I also wound up daily driving it for Tumbleweed for some time and worked with some of the security folks to resolve stuff I discovered. Overall, the experience is fairly good these days. I've been a daily driver of SELinux on my openSUSE machines for five years now with great success and no real issues cropping up (KDE Plasma on Wayland, regular workload including gaming and software development, etc.). -- 真実はいつも一つ!/ Always, there's only one truth!
participants (11)
-
Andrei Borzenkov
-
Carlos E. R.
-
Cathy Hu
-
Ganjah
-
Joe Salmeri
-
Knurpht-openSUSE
-
mhurron
-
Miguel Rozsas
-
Neal Gompa
-
Sutha Sivapalan
-
Thorsten Kukuk