'"[…] #SELinux stops all access unless allowed by policy. […] Before the SELinux 3.6 userspace version, it was not possible to drop any access already allowed in the base SELinux policy or in a module. […] The changes in the latest SELinux userspace release 3.6 introduced support for deny rules. They are documented in Access Vector Rules: "Remove the access rights defined from any matching allow rules.""'

https://developers.redhat.com/articles/2025/06/04/how-selinux-deny-rules-improve-system-security

#SELinux becomes default on openSUSE! Learn how Mandatory Access Control evolves for Tumbleweed at the #openSUSE Conference. #Linux #Security https://events.opensuse.org/

Fortifying #Debian #Linux With #SELinux by Enforcing Mandatory Access Control for Ultimate System Security

https://www.linuxjournal.com/content/fortifying-debian-selinux-enforcing-mandatory-access-control-ultimate-system-security

I am experimenting with MicroOS running btrfs and SELinux.

I have some storage i use for Minecraft server data for instance, on the partition i have a directory with readonly snapshots. The server will not boot properly, because it's running auto relabeling and cannot relabel the readonly stuff.

What's the correct way to handle this? I've tried mounting the partition in different locations, but it seems everything is targeted by the relabel

Ah.. nothing beats spending 2 hour trying to create a simple #systemd service + timer + bash script to back up an sqlite database every week and it just not working because random permission issues just for selinux to be the culprit. Love how you need another tool to actually understand wtf #SELinux wants from you. #linux

I recently read my 8 year old daughter the #SELinux coloring book before school. I'm training up the next generation of #Linux adventurers!

Oh, das hat ein bisschen gedauert herauszufinden: Ich wollte in Android Studio ein virtuelles Device starten.
Das brachte Qemu immer wieder den Tod unter Fedora 41 = mein virtuelles Pixel 7 wollte nicht starten.

Ich hab nie die richtige Fehlermeldung dazu gefunden, bis ich über setroubleshoot gestolpert bin.
Das zeigte mir dann beim erneuten Startversuch an, was schief geht aus Sicht von SELinux (und NUR das), und ich konnte Ausnahmeregeln definieren.

Nun tuts!

> sudo dnf install setroubleshoot

Weiterführende Informationen zu SELinux:

https://docs.fedoraproject.org/en-US/quick-docs/selinux-getting-started/

https://www.youtube.com/watch?v=_WOKRaM-HI4

https://media.ccc.de/v/wicmp-2025-129-selinux-fr-newbies#t=0

New Episode: hpr4328 :: Use SELinux the easy way

You don't have to be an expert on SELinux to use it effectively

Hosted by Klaatu on Wednesday, 2025-03-05 is flagged as Clean and is released under a CC-BY-SA license.

Tags: #linux, #selinux, #permissions.

Today on the #HackerPublicRadio #Community #Podcast​

#HPR #CreativeCommons

https://hackerpublicradio.org/eps/hpr4328/index.html

February brought big changes to #openSUSE Tumbleweed! #SELinux is now the default MAC for new installs, while #Mesa 25.0 adds #Vulkan 1.4 support. Plus, #KDE Plasma 6.3 enhances fractional scaling and drawing tablet settings. https://news.opensuse.org/2025/02/27/tw-monthly-update-february/

@opensuse Tumbleweed rolling release moves from AppArmor to SELinux for its underlying security layer
https://www.linux-magazine.com/Online/News/openSUSE-Tumbleweed-Ditches-AppArmor-for-SELinux
#openSUSE #Tumbleweed #AppArmor #SELinux #Linux #OpenSource #distro #FOSS #security

So #opensuse switched to #selinux. Changing my systems works. Only Steam is not running, because selinux blocks boolean.
I have to admit, that I don't understand selinux. Is there a easy to understand tutorial? I don't want to mess around.
In the suse forum I found this solution:
sudo setsebool selinuxuser_execmod 1
..but with hint: If you understand the risks.

I don't understand the risc :)

#openSUSE Adopts #SELinux as Default MAC (Mandatory Access Control) System on New #Tumbleweed Installations https://9to5linux.com/opensuse-replaces-apparmor-with-selinux-on-new-tumbleweed-installations

@opensuse #Linux #OpenSource

#openSUSE Tumbleweed Moves to #SELinux

https://linuxiac.com/opensuse-tumbleweed-moves-to-selinux/

#Tumbleweed Weekly Review #SELinux is now the default LSM for new installs! Plus:
KDE Gear 24.12.2
GNOME Shell 47.4
GIMP 3.0 RC3
Coming soon: #Linux Kernel 6.13.2, #PipeWire 1.3.82 & #Python 3.13! https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/Z4GBJPYANFF4KQ2FL4NKPHNRNMLOCPMG/

Stay updated on #Tumbleweed's #SELinux transition! Follow discussions & progress on #openSUSE's Factory mailing list https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/G3W5NIY3OKRBHPHWTPYEUPSS4LKZN77N/

Starting with snapshot 20250211, #SELinux becomes the default #MAC system for new installs, boosting security! #AppArmor is still optional. The first #boot might take a little time. #openSUSE #Tumbleweed https://news.opensuse.org/2025/02/13/tw-plans-to-adopt-selinux-as-default/

Big Change in #Tumbleweed! Starting with snapshot 20250211, #SELinux will be the default Mandatory Access Control (MAC) system in enforcing mode! Users can still opt for AppArmor during installation. Read more about it! #openSUSE https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/G3W5NIY3OKRBHPHWTPYEUPSS4LKZN77N/