Big changes are about to land in openSUSE Tumbleweed – maintainers have announced that SELinux will become the default Mandatory Access Control (MAC) system for new Tumbleweed installations starting with snapshot 20250211 (already in place).
The switch to install SELinux by default is in early implementation and aligns with a decision to grow adoption of SELinux for both SUSE and openSUSE. It’s expected to increase security by confining more services by default.
Regarding this, Tumbleweed’s next ISO release will come with SELinux enabled and running in enforcing mode by default. Just a quick note—this change was announced on the openSUSE mailing list around mid-last year.
For those unfamiliar with SELinux (Security-Enhanced Linux), it is a security feature built directly into the Linux kernel that controls what applications and users can access on a system.
It sets strict rules about what programs and users can do, which helps prevent unauthorized access or damage if a system is compromised. Essentially, it is an extra layer of protection that enforces who can access what on a Linux system.
Now, something very important – the maintainers have confirmed that existing Tumbleweed installations will remain untouched; users who already rely on AppArmor will not be forced to migrate, and they can continue using the profiles they have fine-tuned over time.
In other words, moving to SELinux out of the box chiefly affects only brand-new installations, including those using the minimalVM variant. Additionally, if any user prefers AppArmor during a fresh installation, the installer will provide a simple option to switch back.
For many users, the switch to SELinux is expected to deliver added peace of mind. Still, the project leads acknowledge that any major change can bring along a few bumps in the road.
It is worth noting also that this shift does not apply to Leap 15.x, which will remain on its existing security model. For Tumbleweed, the first boot after installing SELinux can take a little extra time to complete system labeling, so don’t be alarmed if things seem to run a tad slower immediately after setup.
Finally, additional updates and tweaks to SELinux policies are anticipated in the coming weeks to smooth out any rough edges. For more information, refer to openSUSE’s announcement.
