openSUSE Tumbleweed Moves to SELinux

posted by Rianne Schestowitz on Feb 13, 2025,
updated Feb 18, 2025

Quoting: openSUSE Tumbleweed Moves to SELinux —

Big changes are about to land in openSUSE Tumbleweed – maintainers have announced that SELinux will become the default Mandatory Access Control (MAC) system for new Tumbleweed installations starting with snapshot 20250211 (already in place).

The switch to install SELinux by default is in early implementation and aligns with a decision to grow adoption of SELinux for both SUSE and openSUSE. It’s expected to increase security by confining more services by default.

Regarding this, Tumbleweed’s next ISO release will come with SELinux enabled and running in enforcing mode by default. Just a quick note—this change was announced on the openSUSE mailing list around mid-last year.

Read on

openSUSE:

• Tumbleweed Adopts SELinux as Default - openSUSE News

  Tumbleweed has adopted SELinux as the default Linux Security Module (LSM) for new installations after a recent snapshot.

  The transition was announced on the mailing list in July and marks a significant development for the rolling release. A new announcement on the factory mailing list yesterday confirms this to take place with the release of Tumbleweed snapshot 20250211. This change also applies to the openSUSE Tumbleweed minimalVM, which will ship with SELinux enabled by default.

  “Users installing openSUSE Tumbleweed via the ISO image will see SELinux in enforcing mode as default option in the installer,” wrote SELinux Security Engineer Cathy Hu in the email announcement. “If the user prefers to use AppArmor instead of SELinux, they are able to change the selection to AppArmor manually in the installer.”

  Tumbleweed has used AppArmor as its default LSM. This marks a shift in the default Mandatory Access Control (MAC) system for new installations as SELinux replaces AppArmor as the default choice. SELinux will be enabled in enforcing mode by default only for new installations. Existing installations will not be affected by the change and will retain the option to select AppArmor during installation if they prefer.

It's FOSS News:

• openSUSE Tumbleweed Ditches AppArmor for SELinux

  openSUSE Tumbleweed is hands down one of the best rolling release Linux distributions out there. Many people prefer it over other distributions due to its stability and consistent updates, providing a near bleeding-edge experience.

  There is another edition from the same project called openSUSE Leap, which focuses on long-term support and is a great option for those who prefer a more stable and laid-back distro experience.

  Anyhow, an important change has been made to Tumbleweed, which mostly affects fresh installations. Let’s take a closer look.

LWN:

• OpenSUSE Tumbleweed switches to SELinux

  The openSUSE project has announced that future installations of the Tumbleweed rolling distribution will use SELinux for mandatory access control rather than AppArmor. Existing installations will not be migrated, and AppArmor will continue to be maintained for Tumbleweed. The openSUSE Leap 15 distribution is not changing.

Later coverage:

• openSUSE Tumbleweed Adopts SELinux as Default Over AppArmor

  Tumbleweed—openSUSE’s rolling release Linux distro—has made a significant change, swapping AppArmor for SELinux for new installs.

  SELinux and AppArmor are the two most popular mandatory access control (MAC) systems for Linux, limiting what actions installed applications can take. MAC serves as an important security layer, limiting the damage a rogue or malicious application can do.

  Tumbleweed has traditionally relied on AppArmor for its MAC implementation, but the distro is now moving to SELinux, as is the downstream SUSE Linux Enterprise (SLE) and openSUSE Leap 16.

Linux Magazine:

• openSUSE Tumbleweed Ditches AppArmor for SELinux » Linux Magazine

  OpenSUSE Tumbleweed is a rolling release that is as secure as any Linux distribution, and it offers plenty of tools for power users (such as YaST). For years, it has used AppArmor as its underlying security layer, but that is about to change.

  As a bleeding-edge distribution, the Tumbleweed developers don't mind making dramatic changes, especially with the internals. One such dramatic change, which was announced on the openSUSE Factory mailing list, will be the move from AppArmor to SELinux for mandatory access control.

  SELinux will be set to enforcing mode on openSUSE Tumbleweed. However, if you would like to stick with AppArmor, you can do so manually in the OS installer.

  It is also important to note that existing installations will not be switched to SELinux. Leap users don't have to fear, as this move will not affect their installations.