Tumbleweed—openSUSE’s rolling release Linux distro—has made a significant change, swapping AppArmor for SELinux for new installs.

SELinux and AppArmor are the two most popular mandatory access control (MAC) systems for Linux, limiting what actions installed applications can take. MAC serves as an important security layer, limiting the damage a rogue or malicious application can do.

Tumbleweed has traditionally relied on AppArmor for its MAC implementation, but the distro is now moving to SELinux, as is the downstream SUSE Linux Enterprise (SLE) and openSUSE Leap 16.

“Users installing openSUSE Tumbleweed via the ISO image will see SELinux in enforcing mode as default option in the installer,” wrote SELinux Security Engineer Cathy Hu in an email announcement. “If the user prefers to use AppArmor instead of SELinux, they are able to change the selection to AppArmor manually in the installer.”

The project’s blog said existing users will be able to continue using AppArmor, and new users can still select it during the installation process, but SELinux is expected to bring a greater level of security.

Tumbleweed has used AppArmor as its default LSM. This marks a shift in the default Mandatory Access Control (MAC) system for new installations as SELinux replaces AppArmor as the default choice. SELinux will be enabled in enforcing mode by default only for new installations. Existing installations will not be affected by the change and will retain the option to select AppArmor during installation if they prefer.

The switch to install SELinux by default is going through implementation and aligns with a decision to grow adoption of SELinux for both SUSE and openSUSE. It’s expected to increase security by confining more services by default. SELinux is known for its rich security features and widespread use in enterprise environments.

The move is expected to bring tighter access controls to Tumbleweed. Users may encounter bugs or issues, but openQA tests for Tumbleweed have played a key role in identifying and resolving potential problems in the early adoption phase.

SELinux is traditionally used by Red Hat and derivative distros, while AppArmor is used by Debian, Ubuntu, and their derivatives. AppArmor is generally seen as easier to use, but SELinux has more configuration options, greater flexibility, and a higher degree of security.

openSUSE distros already have an outstanding reputation for security, with the the developers implementing several hardening options few other distros use. The change to SELinux will only improve that security even more.