openSUSE Leap 16 Adopts NSA's SELinux
openSUSE Leap 16 defaults to NSA-developed SELinux, eliminates X11 for Wayland-only operation, ships web management on all interfaces, and uses a remote installer with documented mDNS attack risks.
(member quiz at bottom)
openSUSE Leap 16 launched October 1, 2025 with a complete architectural rebuild. The distribution now uses identical source code and binaries from SUSE Linux Enterprise 16 (SLES) SUSE's commercial product. Previous Leap versions borrowed from SLES but maintained separate builds.
That separation no longer exists.
Users running Leap 16 can migrate to paid SLES 16 without reinstalling. SUSE owned by Swedish private equity firm EQT Partners since 2018 gets free testing from the community. The company has changed hands five times since 1992: Novell ($210M, 2003), Attachmate ($2.2B, 2011), Micro Focus ($2.35B, 2014), EQT ($2.535B, 2018), then public via IPO (2021), then private again (2023).
The distribution runs Linux kernel 6.12 LTS and provides 24 months of updates. SUSE plans annual point releases through Leap 16.6 in 2031. Leap 17 arrives 2032.
SELinux Replaces AppArmor
Leap 16 switches from AppArmor to SELinux as the default mandatory access control system. The United States National Security Agency created SELinux. The NSA released the code under GNU GPL on December 22, 2000. NSA developers remain active maintainers. The Linux kernel removed "NSA SELinux" branding in version 6.6 (2023), but the intelligence agency continues development.
Red Hat, Secure Computing Corporation, and Network Associates have contributed to SELinux over two decades. The architecture and threat model originated at the NSA an agency conducting signals intelligence and offensive cyber operations.
SELinux uses label-based security contexts on files, processes, and ports. AppArmor uses path-based profiles. SELinux offers finer control but requires complex policy writing. AppArmor is simpler but less granular.
Users can manually switch to AppArmor after installation. SELinux is the supported default. Previous Leap versions defaulted to community-developed AppArmor.
SELinux breaks software expecting unrestricted filesystem access. Docker, gaming via Steam, and custom systemd services require policy modifications. The selinux-policy-targeted-gaming package addresses some gaming issues.
Agama Web Installer and mDNS Attack Surface
Agama replaces YaST, which openSUSE used for nearly 30 years. Agama runs as a web server during installation, accessible remotely at https://[IP]:9090 or via https://agama.local using mDNS.
The Agama documentation states: "Do not use the .local hostnames in untrusted networks (like public WiFi networks, shared networks), it is a security risk. An attacker can easily send malicious responses for the .local hostname resolutions and point you to a wrong Agama instance which could for example steal your root password."
mDNS broadcasts are unauthenticated. Any device on the network segment can respond to .local queries. The installer uses HTTPS with self-signed certificates by default. Browsers warn about these certificates. An adversary on the installation network can intercept credentials, modify partitions, inject packages, or install backdoors during MITM attacks.
The attack surface exists during installation when no firewall, IDS, or logging runs.
X11 Removed, Wayland is the Default
Leap 16 eliminates X11 and mandates Wayland. Desktop options: GNOME 48, KDE Plasma 6.4, or experimental Xfce 4.20 via labwc compositor. Obviously you can install X11 after the fact, but who is going to do all that?
X11 supported independent window managers, built-in display forwarding over SSH, direct screen capture, and programmatic window control. The protocol separated client requests from server policy.
Wayland consolidates control in compositor implementations. Screen capture requires compositor-specific APIs and user permission. Remote display needs additional protocols (RDP, VNC) instead of native forwarding. Independent window managers cannot exist full compositor implementation required. Programmatic control depends on compositor protocol support.
XWayland provides compatibility by translating X11 calls to Wayland. Performance degrades. X11-specific tools break: direct framebuffer capture, some remote desktop software, custom window managers.
Cockpit Web Interface on All Network Interfaces
Cockpit ships as default web management. The service listens on TCP port 9090 and binds to 0.0.0.0 by default all network interfaces. Any host reaching the server's IP can attempt authentication.
Cockpit capabilities:
- View logs and metrics
- Start/stop services
- Manage user accounts
- Modify storage and partitions
- Execute terminal commands as root
- Manage virtual machines
- Install/remove software
Disable with systemctl disable --now cockpit.socket. If needed, restrict to specific IPs via /etc/systemd/system/cockpit.socket.d/listen.conf or firewall rules.
Network Connectivity Checks
The system automatically contacts conncheck.opensuse.org and proxy-nue.opensuse.org (both resolve to 195.135.221.140) to verify connectivity and repository access. No explicit user consent required.
Block via firewall rules or DNS blocking.
Standard HTTP headers transmit during these checks.
Additional Technical Changes
Leap 16 requires CPUs supporting x86-64-v2 microarchitecture (Intel/AMD 2008+). 32-bit support disabled by default. Enable manually via grub2-compat-ia32 package and ia32_emulation=1 kernel parameter. Fixes Year 2038 problem via 64-bit time_t.
Zypper supports parallel package downloads. Software includes GNOME 48, KDE Plasma 6.3.4, GIMP 3.0, RPM 4.20.
ISOs available at get.opensuse.org/leap/16.0/ for x86_64, ARM64, PowerPC. Leap 15.6 users migrate via official tool.
Details: news.opensuse.org/2025/10/01/next-chapter-opens-with-leap-release/
