Welcome to the family, OpenSUSE Leap! Finally :) The 16.0 Release Candidate makes it official. #SELinux becomes the default.
#selinux
1 post1 participant0 posts today
Highlights from the LSM, SELinux, and audit PRs that were merged into Linus' tree during the Linux v6.17 merge window.
https://paul-moore.com/blog/d/2025/07/linux_v617_merge_window.html
paul-moore.comPaul Moore · Linux 6.17 Merge Window
If there's any job opening related to #selinux, let me know :)
Find out what happened in this #oSC25 talk about the switch of #SELinux as the default MAC system in #openSUSE Tumbleweed, This talk will explore the shift from #AppArmor and the lessons learned. A must-watch for those following system security! 
#Linux #openSUSE https://youtu.be/8wBLbhSjDwE?si=1fOBIHkq1KkU5ynV
youtu.be- YouTubeEnjoy the videos and music you love, upload original content, and share it all with friends, family, and the world on YouTube.
'"[…] #SELinux stops all access unless allowed by policy. […] Before the SELinux 3.6 userspace version, it was not possible to drop any access already allowed in the base SELinux policy or in a module. […] The changes in the latest SELinux userspace release 3.6 introduced support for deny rules. They are documented in Access Vector Rules: "Remove the access rights defined from any matching allow rules.""'
https://developers.redhat.com/articles/2025/06/04/how-selinux-deny-rules-improve-system-security
Red Hat Developer · How SELinux deny rules improve system security | Red Hat DeveloperLearn how you can now use deny rules to remove SELinux permissions from the base SELinux policy or a module with the new SELinux userspace release 3.6
The Linux v6.16 merge window is open and I've written up the LSM, SELinux, and audit highlights that have been merged into Linus' tree.
https://paul-moore.com/blog/d/2025/05/linux_v616_merge_window.html
paul-moore.comPaul Moore · Linux 6.16 Merge Window
#SELinux becomes default on openSUSE! Learn how Mandatory Access Control evolves for Tumbleweed at the #openSUSE Conference. 
#Linux #Security https://events.opensuse.org/
events.opensuse.orgopenSUSE Events
Fuck you too, SELinux.
SELinux is preventing brltty from getattr access on the chr_file /dev/bus/usb/003/073.
Linux v6.15-rc1 was released today, and here is my quick summary of the LSM and SELinux changes sent up to Linus during the Linux v6.15 merge window.
(There were no audit patches queued up for Linux v6.15, but that should change for the next merge window.)
https://paul-moore.com/blog/d/2025/04/linux_v615_merge_window.html
paul-moore.comPaul Moore · Linux 6.14 Merge Window
Just had my first disagreement with a coworker.
It was all about #SELinux.
Come to find out, the issue wasn't even about that.
A file was just missing.
I'm now sitting in my comfy chair trying to calm down.
@opensuse Tumbleweed rolling release moves from AppArmor to SELinux for its underlying security layer
https://www.linux-magazine.com/Online/News/openSUSE-Tumbleweed-Ditches-AppArmor-for-SELinux
#openSUSE #Tumbleweed #AppArmor #SELinux #Linux #OpenSource #distro #FOSS #security
#openSUSE Adopts #SELinux as Default MAC (Mandatory Access Control) System on New #Tumbleweed Installations https://9to5linux.com/opensuse-replaces-apparmor-with-selinux-on-new-tumbleweed-installations
#Tumbleweed Weekly Review 
#SELinux is now the default LSM for new installs! Plus:
KDE Gear 24.12.2 GNOME Shell 47.4 GIMP 3.0 RC3
Coming soon: #Linux Kernel 6.13.2, #PipeWire 1.3.82 & #Python 3.13! 
https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/Z4GBJPYANFF4KQ2FL4NKPHNRNMLOCPMG/
Stay updated on #Tumbleweed's #SELinux transition! 
Follow discussions & progress on #openSUSE's Factory mailing list 
https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/G3W5NIY3OKRBHPHWTPYEUPSS4LKZN77N/
Starting with snapshot 20250211, #SELinux becomes the default #MAC system for new installs, boosting security! 
#AppArmor is still optional. The first #boot might take a little time. #openSUSE #Tumbleweed https://news.opensuse.org/2025/02/13/tw-plans-to-adopt-selinux-as-default/
openSUSE NewsTumbleweed Plans to Adopt SELinux as DefaultTumbleweed is planning to adopt SELinux as the default Linux Security Module (LSM) for new installations in the nearterm. The transition was announced on the...
Big Change in #Tumbleweed! Starting with snapshot 20250211, #SELinux will be the default Mandatory Access Control (MAC) system in enforcing mode! Users can still opt for AppArmor during installation. Read more about it! #openSUSE https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/G3W5NIY3OKRBHPHWTPYEUPSS4LKZN77N/
openSUSE Mailing ListsAnnouncement: SELinux as default MAC system on new Tumbleweed installations - openSUSE FactoryHi all,
We would like to announce that with the next openSUSE Tumbleweed
snapshot 20250211 the default mandatory access control (MAC) system
selected by the installer will be switched from Ap……
Replied in thread
@kde@floss.social @kde@lemmy.kde.social
Thx for the info, then it is like that.
Here is the goal proposal
https://phabricator.kde.org/T17370
Tbh, #bubblewrap would need to be fixed drastically to be as secure as the #Android #sandbox. And (I am not sure yet) I think even #Snaps are more secure (on #Ubuntu with #Apparmor patches) than #Flatpak with the current system.
As far as I understood, sandboxing needs to happen in #userspace, with tools like #fuse doing the work while being restricted by #MAC like #SELinux or Apparmor.
phabricator.kde.org⚓ T17370 Sandbox all the things!
Replied in thread
@kde@floss.social @kde@lemmy.kde.social
Can you tell us what happens on the "sandbox all the things" goal?
I think this is a pretty crucial step forward, even though #sandbox technologies (most often through user namespaces) are more problematic than I initially thought.
(Basically, user #namespaces open up #privesc dangers to the monolithic #kernel, which is incredible. #Android and #ChromeOS use #LXC, mounts and #SELinux for #sandboxing)
Okie day 2 of hitting Linux SysAdmin labs, we're picking up straight into SELinux so at least I'm fresh for that.
Hope the course is more than just `semanage disable` lol