openSUSE Tumbleweed switches from AppArmor to SELinux
The rolling release Linux distribution openSUSE Tumbleweed switches from AppArmor to SELinux for access control.
(Image: Erstellt mit KI in Bing Designer durch heise online / dmk)
Since last week, new snapshots of the rolling release Linux distribution openSUSE Tumbleweed have been using SELinux access protection by default. By default, the Mandatory Access Control (MAC) is set to SELinux, replacing AppArmor.
SUSE recently announced this on its own mailing list. The openSUSE Tumbleweed "minimalVM" has also been delivered with SELinux in enforcing mode since then. AppArmor and SELinux are used to harden and secure Linux. This allows finely granulated access rights to be assigned for programs and services, for example. There are differences in the details of both systems. AppArmor, for example, can be set up piece by piece and for individual programs and is considered simple. SELinux, on the other hand, is more complex and initially takes full effect for all software, but is considered superior to AppArmor.
openSUSE Tumbleweed: All options open
Anyone installing openSUSE Tumbleweed using an ISO image, for example, will be offered SELinux in enforcing mode as the default setting in the installer. If you prefer to use AppArmor, you can change the selection manually. AppArmor will continue to be maintained by the previous maintainer, SUSE explains.
Videos by heise
During normal updates, existing installations will not be automatically migrated from AppArmor to SELinux. However, interested parties can do it themselves and migrate to SELinux. SUSE provides instructions for this. The IT security people at SUSE have tested the changes with both manual and automatic implementation. However, they are asking for feedback if there are any problems, writes Cathy Hu, who works as SELinux Security Engineer at SUSE.
Anyone working with container systems such as Kubernetes under openSUSE Tumbleweed may have to do some manual work there. Kubernetes provides instructions on how to set it up for use with AppArmor and SELinux.
Anyone using SUSE Leap 15.x does not need to worry: The distribution is not affected by the change, it remains with the hardening of the system with AppArmor.
(dmk)
