@opensuse Tumbleweed rolling release moves from AppArmor to SELinux for its underlying security layer
https://www.linux-magazine.com/Online/News/openSUSE-Tumbleweed-Ditches-AppArmor-for-SELinux
#openSUSE #Tumbleweed #AppArmor #SELinux #Linux #OpenSource #distro #FOSS #security
Starting with snapshot 20250211, #SELinux becomes the default #MAC system for new installs, boosting security! 
#AppArmor is still optional. The first #boot might take a little time. #openSUSE #Tumbleweed https://news.opensuse.org/2025/02/13/tw-plans-to-adopt-selinux-as-default/
@kde@floss.social @kde@lemmy.kde.social
Thx for the info, then it is like that.
Here is the goal proposal
https://phabricator.kde.org/T17370
Tbh, #bubblewrap would need to be fixed drastically to be as secure as the #Android #sandbox. And (I am not sure yet) I think even #Snaps are more secure (on #Ubuntu with #Apparmor patches) than #Flatpak with the current system.
As far as I understood, sandboxing needs to happen in #userspace, with tools like #fuse doing the work while being restricted by #MAC like #SELinux or Apparmor.
I'm working on running #apparmor end-to-end tests upstream, so that there are fewer regressions and better compatibility across different distributions and kernels.
I've been posting about it at https://lists.ubuntu.com/archives/apparmor/2024-November/013407.html and I've also opened an initial pull request at https://gitlab.com/apparmor/apparmor/-/merge_requests/1432
I am very happy to have time to work on improving upstream state of the art for everyone using apparmor :-)
I am currently working on #apparmor support for #nixos making profile definitions declared in the apparmor.d project available and functional.
You can read up on my initial approach at https://hedgedoc.grimmauld.de/s/hWcvJEniW#. I am not done yet! Pull Requests into nixpkgs will come after 24.11 branch-of. In the meantime, progress will be shared here on mastodon.
TIL: #Ubuntu apparently carries a "huge" #AppArmor patchset in their #Linux #kernel:
"'To start with, the patchset is huge; it is upwards of 60 separate patches, making it a significant maintenance burden. Since the set is maintained and updated by #Canonical, we can only update to a new kernel after they’ve updated all of those patches, which sometimes takes a long time, or even doesn’t happen at all, as with the 6.9 kernel series.'"
https://getsol.us/2024/07/15/dropping-apparmor-kernel-patches/ #LinuxKernel
In less than 30 minutes, you can watch a #security #techtalk about switching from #AppArmor to #SELinux. What are some successes, challenges & future expectations? Find out by watching. https://www.youtube.com/live/4uHmAiluDFo?si=-x0W2GPH71b-CI-C
I don't seem to have enough google-fu to solve this myself: On my #Debian installations, #dmesg is full of #AppArmor logs for #Vivaldi. Almost all of them are "ALLOW" entries, which seems completely irrelevant.
Is there a way to get AppArmor not to spam dmesg with messages? I can't find any settings about the amount of log messages in the AppArmor manual page or documentation.
