I have been running TW for years and followed anything about SELinux until I came upon it when I upgraded a couple of machines from Leap 15.6 to Leap 16.0.
I understand that SELinux is the default for new TW installations but is this installed on existing TW systems on zypper dup?
I ask because I have:-
alastair@HP-Z640-1:~> getenforce
Disabled
alastair@HP-Z640-1:~>
At what point should I enable SELinux, if at all?
On openSUSE Tumbleweed, SELinux is not automatically enabled on upgraded systems. It’s only installed and enforced by default on fresh Tumbleweed installs.
Changing the mode permanently:
Reasons for enabling it might be (but not limited to):
You want the extra mandatory access control security that SELinux provides.
You are running a server with services exposed to untrusted users or the Internet, where a policy could help contain compromises.
I’d start with using it permissive mode first, and check logs for denied actions. Nothing will be blocked in this mode. If that checks out ok for your situation, then move to enforcing mode.
FWIW, I have a system using Slowroll, and I’m continuing to use Apparmor with that.
Hi Dean,
Thanks for the info. It is what I had suspected and your additional note is interesting. As you will have gathered I have been working on Leap 16.0. I have it running well now with KDE desktop and Plasma Wayland but to do this I am running a hybrid system because I have had to recourse to OBS repo. as per earlier posts. In my ignorance I feel I may be vulnerable when doing updates. I have elected a cautious update command:-
sudo zypper dup --from KDE-Qt6 --from KDE-Frameworks --from KDE-Extra --allow-vendor-change
I am not confident this is correct and would appreciate comments but I am now thinking I should consider Slowroll. After all I have not had too many issues with TW.
Any thoughts?
Just do as explained here…
https://en.opensuse.org/SDB:KDE_repositories
I happily use Slowroll on my Dell laptop. I like that it’s a rolling release, but with a slower, more deliberate update cadence than openSUSE Tumbleweed. In my experience, that helps avoid some of the short-term issues that can occasionally show up in a fast-moving rolling distro.
I also run Leap 16 on another machine, which gives me a more traditional, stable base (aligned with SLE). I use it at work from time to time and when helping others in the forums. It’s been very predictable and hasn’t presented any unexpected issues I couldn’t resolve.
If you’re already comfortable with openSUSE Tumbleweed, then Slowroll is probably a good fit, as it keeps the same rolling model with fewer rapid changes.
Hi and many thanks for the further info. I am now upgrading one of my leap 16.0 machines to Slowroll. Will give it a spin for a month or so and feed back info.