Welcome to the family, OpenSUSE Leap! Finally :) The 16.0 Release Candidate makes it official. #SELinux becomes the default.
Welcome to the family, OpenSUSE Leap! Finally :) The 16.0 Release Candidate makes it official. #SELinux becomes the default.
Highlights from the LSM, SELinux, and audit PRs that were merged into Linus' tree during the Linux v6.17 merge window.
https://paul-moore.com/blog/d/2025/07/linux_v617_merge_window.html
If there's any job opening related to #selinux, let me know :)
Find out what happened in this #oSC25 talk about the switch of #SELinux as the default MAC system in #openSUSE Tumbleweed, This talk will explore the shift from #AppArmor and the lessons learned. A must-watch for those following system security! #Linux #openSUSE https://youtu.be/8wBLbhSjDwE?si=1fOBIHkq1KkU5ynV
'"[…] #SELinux stops all access unless allowed by policy. […] Before the SELinux 3.6 userspace version, it was not possible to drop any access already allowed in the base SELinux policy or in a module. […] The changes in the latest SELinux userspace release 3.6 introduced support for deny rules. They are documented in Access Vector Rules: "Remove the access rights defined from any matching allow rules.""'
https://developers.redhat.com/articles/2025/06/04/how-selinux-deny-rules-improve-system-security
The Linux v6.16 merge window is open and I've written up the LSM, SELinux, and audit highlights that have been merged into Linus' tree.
https://paul-moore.com/blog/d/2025/05/linux_v616_merge_window.html
#SELinux becomes default on openSUSE! Learn how Mandatory Access Control evolves for Tumbleweed at the #openSUSE Conference. #Linux #Security https://events.opensuse.org/
Fuck you too, SELinux.
SELinux is preventing brltty from getattr access on the chr_file /dev/bus/usb/003/073.
Linux v6.15-rc1 was released today, and here is my quick summary of the LSM and SELinux changes sent up to Linus during the Linux v6.15 merge window.
(There were no audit patches queued up for Linux v6.15, but that should change for the next merge window.)
https://paul-moore.com/blog/d/2025/04/linux_v615_merge_window.html
Just had my first disagreement with a coworker.
It was all about #SELinux.
Come to find out, the issue wasn't even about that.
A file was just missing.
I'm now sitting in my comfy chair trying to calm down.
@opensuse Tumbleweed rolling release moves from AppArmor to SELinux for its underlying security layer
https://www.linux-magazine.com/Online/News/openSUSE-Tumbleweed-Ditches-AppArmor-for-SELinux
#openSUSE #Tumbleweed #AppArmor #SELinux #Linux #OpenSource #distro #FOSS #security
#openSUSE Adopts #SELinux as Default MAC (Mandatory Access Control) System on New #Tumbleweed Installations https://9to5linux.com/opensuse-replaces-apparmor-with-selinux-on-new-tumbleweed-installations
#Tumbleweed Weekly Review #SELinux is now the default LSM for new installs! Plus:
KDE Gear 24.12.2
GNOME Shell 47.4
GIMP 3.0 RC3
Coming soon: #Linux Kernel 6.13.2, #PipeWire 1.3.82 & #Python 3.13!
https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/Z4GBJPYANFF4KQ2FL4NKPHNRNMLOCPMG/
Stay updated on #Tumbleweed's #SELinux transition! Follow discussions & progress on #openSUSE's Factory mailing list
https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/G3W5NIY3OKRBHPHWTPYEUPSS4LKZN77N/
Starting with snapshot 20250211, #SELinux becomes the default #MAC system for new installs, boosting security! #AppArmor is still optional. The first #boot might take a little time. #openSUSE #Tumbleweed https://news.opensuse.org/2025/02/13/tw-plans-to-adopt-selinux-as-default/
Big Change in #Tumbleweed! Starting with snapshot 20250211, #SELinux will be the default Mandatory Access Control (MAC) system in enforcing mode! Users can still opt for AppArmor during installation. Read more about it! #openSUSE https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/G3W5NIY3OKRBHPHWTPYEUPSS4LKZN77N/
@kde@floss.social @kde@lemmy.kde.social
Thx for the info, then it is like that.
Here is the goal proposal
https://phabricator.kde.org/T17370
Tbh, #bubblewrap would need to be fixed drastically to be as secure as the #Android #sandbox. And (I am not sure yet) I think even #Snaps are more secure (on #Ubuntu with #Apparmor patches) than #Flatpak with the current system.
As far as I understood, sandboxing needs to happen in #userspace, with tools like #fuse doing the work while being restricted by #MAC like #SELinux or Apparmor.
@kde@floss.social @kde@lemmy.kde.social
Can you tell us what happens on the "sandbox all the things" goal?
I think this is a pretty crucial step forward, even though #sandbox technologies (most often through user namespaces) are more problematic than I initially thought.
(Basically, user #namespaces open up #privesc dangers to the monolithic #kernel, which is incredible. #Android and #ChromeOS use #LXC, mounts and #SELinux for #sandboxing)
Okie day 2 of hitting Linux SysAdmin labs, we're picking up straight into SELinux so at least I'm fresh for that.
Hope the course is more than just `semanage disable` lol