How to remove SELinux and go back to using AppArmor

lavadrop · March 8, 2025, 12:58am

I would like to stick to AppArmor.

I just reinstalled Tumbleweed and realized it is too complicated for a regular non-sysadmin desktop user and would prefer to go back to how it was before in my previous install.
I tried just disabling SELinux, uninstalling SELinux (sudo zypper remove selinux-tools selinux-policy) installing SELinux (sudo zypper install apparmor-utils apparmor-profiles apparmor-parser) and enabling it in systemd but apparently I also need to have the properly compiled kernel to load the profiles. Also I installed the apparmor pattern in zypper/yast to be sure everything is installed, including 32-bit.
Are there any guides or could you provide more information on how to do it properly?

Thanks!

malcolmlewis · March 8, 2025, 1:12am

@lavadrop Reverse of this https://en.opensuse.org/Portal:SELinux/Setup (need boot options security=apparmor and then https://en.opensuse.org/SDB:AppArmor

Just remember at some point it’s going away…so better to get the hurt out of the way now

Having the setroubleshoot-server and setroubleshoot-plugins should be able to resolve most issues, likely most probably need bug reports, but you can also resolve by creating your own policy if required?

I have a pretty much default install of Tumbleweed here on a test system with sdboot/SELinux/btrfs etc and not seen anything show up regarding SELinux (Cockpit Client).

lavadrop · March 8, 2025, 1:20am

Alrighty then.

If I just installed AppArmor, how can I remove it? It seems to have cross dependencies with systemd and udev.

malcolmlewis · March 8, 2025, 1:33am

@lavadrop does the first link help on what to do?

Then from the second link, remove;

libapparmor
apparmor-profiles
apparmor-utils
apparmor-parser
yast2-apparmor
apparmor-docs

lavadrop · March 8, 2025, 1:39am

Thank you. It was easier to rollback to 2 hours ago, I had also installed lutris-apparmor that pulled a ton of dependencies I won’t need.

lavadrop · March 8, 2025, 1:46am

Do I also need to do touch /.autorelabel?
I have 2 btrfs secondary SSDs that contain user data. They mount without errors according to dmesg.

arvidjaar · March 8, 2025, 5:21am

If this is a new installation, the easiest is to reinstall selecting AppArmor.

lavadrop · March 8, 2025, 5:56am

It was 3 days ago, I rolled back to this afternoon’s pre-zypper alterations and I’m back on the default SELinux install. However I have an instance of wine complaining that

steam[5905]: wine: Read access denied for device L"\??\Z:\", FS volume label and serial are not available.

hui · March 8, 2025, 6:08am

This is mentioned here:
https://en.opensuse.org/Portal:SELinux/Common_issues

arvidjaar · March 8, 2025, 6:25am

Well …

Obligatory question - does it start to work after

setenforce 0

lavadrop · March 8, 2025, 1:55pm

Yes, yes it did.

arvidjaar · March 8, 2025, 1:56pm

Good. Then show

ausearch -ts today -m avc,user_avc,selinux_err,user_selinux_err

lavadrop · March 8, 2025, 2:21pm

There are hundreds of denials.

lavadrop · March 8, 2025, 5:53pm

I tried systemctl start selinux-autorelabel
and got
Failed to start selinux-autorelabel.service: Unit selinux-autorelabel.service not found.

effie · March 14, 2025, 1:59pm

If you’re a desktop user behind a firewall how do you feel about just disabling selinux? It’s a real pain sometimes and can really get in the way.

lavadrop · March 15, 2025, 3:14am

After distro upgrading to the snapshot that upgraded python, the SELinux policy that wasn’t being written to disk was finally fixed and now there are no more denials and my system seems labeled properly. I already disabled firewalld, I’d prefer to keep SELinux and help the SELinux openSUSE team improve with bug reports when issues happen.

system · March 22, 2025, 3:14am

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.