openSUSE Tumbleweed Transitions from AppArmor to SELinux for Enhanced Security

The openSUSE Tumbleweed, a leading rolling-release Linux distribution, has officially transitioned from using AppArmor to SELinux for access control. This significant change aims to enhance security measures within the operating system.

As of last week, the latest snapshots of openSUSE Tumbleweed will ship with SELinux enabled as the default Mandatory Access Control (MAC) mechanism, effectively replacing AppArmor. This update was announced by SUSE on their internal mailing list.

Furthermore, the openSUSE Tumbleweed 'minimalVM' is now also delivered with SELinux operating in enforcing mode. Both AppArmor and SELinux are designed to harden and secure Linux systems by allowing fine-tuned access permissions for applications and services. While AppArmor is generally considered more user-friendly and allows for piecemeal configuration for individual programs, SELinux is known for its robustness and comprehensive security features, albeit with increased complexity.

For users installing openSUSE Tumbleweed via an ISO image, SELinux in enforcing mode will be the default option presented during installation. Users who prefer to continue using AppArmor can manually select that option during the installation process. AppArmor will still receive maintenance from its current maintainer, according to SUSE.

It is important to note that existing installations will not automatically migrate from AppArmor to SELinux with regular updates. However, users interested in making the switch can do so manually, and SUSE has provided guidance for this transition. The changes have been thoroughly tested by SUSE's IT security team, who encourage users to report any issues they encounter, as stated by a SELinux Security Engineer at SUSE.

For those utilizing container systems like Kubernetes on openSUSE Tumbleweed, additional configuration may be necessary. Kubernetes provides specific instructions on setting up for both AppArmor and SELinux.

Users of SUSE Leap 15.x can rest assured that this change does not affect their distribution, which will continue to rely on AppArmor for system hardening.