Would it make sense to make SELinux (packages developed at https://build.opensuse.org/project/show/security:SELinux) available to a, potentially larger, Leap user-base as 'technology preview/use at your own risk' thing?
FWIW, I did some (very limited) testing with 15.3, both on JeOS and desktop(XFCE) VM's, and I haven't seen, AFAICT, any major issues with targeted policy.
I know that's a pretty radical departure from SLE, and Leap is supposed to be 'boring' :), but it might be an opportunity to fix issues/bugs and refine the policy with some more 'real world use', perhaps?
All that if, of course, developers/maintainers of security:SELinux are up for it :)
It would certainly be nice to have SELinux available in Leap (I use it on Tumbleweed myself). I believe SUSE is already shipping SELinux for SLE on some variants (like SLE Micro).
We already have that option in installer. This is the current issue https://bugzilla.suse.com/show_bug.cgi?id=1187326
Metadata Update from @lkocman: - Issue assigned to lkocman
There's no SELinux policy to make it work, and installer will happily let you set up SELinux with no policy, which leads to a broken system.
Yup, so if this request is about providing policies, then I think we can get that covered. I think there will be some progress internally on SLE as well.
How would that work? ATM, SELinux in 15.3 is 3.0. Provide 'just' the policies for it, or update the whole stack to (currently)3.2? Either works for me, just curious :)
It would most likely be just providing the policies.
Leap 16.0, Leap Micro 5.4 (has now Enforcing by default) are already covered. It seems that Leap 15.X / SLES 15 SPX still has lack of policies.
Moving to Leap 16.0
Metadata Update from @lkocman: - Issue set to the milestone: 16.0
Rejecting for 15.6 after discussion with Johannes Segitz, we plan to deliver this for ALP / 16.0. Team believes they would not be able to provide sufficient quality for Leap 15, based on current priorities and team capacity.
Leap Micro already has SELinux by default, ALP prototypes too. I did discuss option to make it tech preview in Leap 15.6, however @jsegitz confirmed that team has no capacity to maintain policy in Leap on acceoptable quality, and they'd prefer to focus their work towards ALP.
I'll reject the feature, based on the title "tech-preview" in a sense that this is specifically targetting Leap.
Metadata Update from @lkocman: - Issue close_status updated to: Rejected - Issue status updated to: Closed (was: Open)
Just to note @jsegitz confirmed that it would be good idea to make sure enforcing is by default on TW too, if ALP aims to have the same.
Login to comment on this ticket.