Skip to main content
openSUSE's Geeko chameleon's head overlayed on a cell-shaded planet Earth, rotated to show the continents of Europe and Africa

Welcome to English Planet openSUSE

This is a feed aggregator that collects what the contributors to the openSUSE Project are writing on their respective blogs
To have your blog added to this aggregator, please read the instructions

a silhouette of a person's head and shoulders, used as a default avatar

SELinux Userspace Utilities: Local Denial-of-Service Attack Vectors in seunshare in release 3.10

Table of Contents

1) Introduction

The seunshare program is part of the SELinux “sandbox” feature, which is used to confine untrusted programs using Linux mount namespaces and restrictive SELinux policies. The program is designed to be installed with setuid-root privileges, accessible to all users in the system.

We have been asked to review the program’s security with the intention of assigning the setuid bit to it on SUSE distributions in the future. Fedora Linux already ships this program with setuid-root enabled; other SELinux-enabled Linux distributions may do so as well.

During our review of the utility’s code in version 3.10 of the SELinux userspace utilities we identified two local Denial-of-Service attack vectors, which will be described in detail in the following sections. Upstream independently fixed these issues in version 3.11, without clearly marking them as security issues, however.

The rest of this report is based on version 3.10 of the codebase of seunshare.

2) Design Overview

The seunshare program is relatively small, consisting of about 1,000 lines of C code. The elevated root privileges are primarily needed to setup a custom mount namespace for the sandbox environment.

The program accepts a range of command line arguments which, among others, allow to request dedicated directories to be used for the following paths inside the sandbox:

  • the user’s home directory.
  • the /tmp directory.
  • the /run/user/<uid> directory.

For the /run and /tmp directories, the source paths specified by the user are copied into a random temporary directory in the initial mount namespace under /tmp/.sandbox-<label>-XXXXXX using the rsync program. These directories are then bind-mounted into the sandbox’s mount namespace to appear at the expected locations.

A lot of code in seunshare is concerned with securely maintaining these temporary directories. To allow the sandbox environment to modify the directory contents, seunshare assigns group write permissions for the real group ID of the calling user, as shown in this example:

drwxrwx--T. 2 root user 80 Jul  8 16:11 /tmp/.sandbox-user-OaxmUp/

To safely access user-provided paths, the program flips its filesystem UID to the real UID of the calling user and back to root, as needed.

3) Security Issues

Since seunshare is supposed to run on SELinux-enabled systems, it is important to understand what kind of privilege escalation can be achieved when vulnerabilities are exploited in a setuid-root binary like this. Many SELinux-enabled systems, such as Fedora and openSUSE, ship with the “targeted” SELinux policy by default. This policy is focused on confining well-known system services, but assigns an unconfined SELinux context to interactive users by default to achieve a balance between security and usability.

There is currently no domain transition from the unconfined domain to the more restricted seunshare_t defined in the SELinux policy for seunshare. This means the execution of seunshare continues in the unconfined domain. Thus in the context of attacks carried out by interactive users, the impact of the vulnerabilities below will be a root-like privilege escalation despite the system running in SELinux enforced mode.

3.1) Local File Deletion Attack Vector in rm_rf()

The function rm_rf() is called at the end of the utility’s execution to recursively remove temporary directory trees. While a comment in the function suggests that no symbolic links would be followed by this routine, the reality is that the openat() system call is lacking the O_NOFOLLOW flag. This creates a race condition during the recursion of the rm_rf() function:

  • first an fstatat() is performed for directory contents obtained from readdir() to safely determine whether an entry refers to a sub-directory.
  • when a directory is encountered the unsafe openat() happens, allowing the unprivileged user to replace the directory entry by a symbolic link in the meantime. While the O_DIRECTORY flag is passed to openat(), symbolic links in the target are still followed, as long as they point to a directory.

When the user calling seunshare is running in the unconfined SELinux domain, arbitrary root-owned files can be deleted this way. The vulnerability does not allow to delete arbitrary files of other users, however, because seunshare drops all capabilities before calling rm_rf(). This leaves the process in a somewhat strange state of privilege: it can no longer override discretionary access control (DAC) but it is still allowed to operate on files owned by the filesystem-uid of the privileged process, which is 0 during the invocation of rm_rf().

We developed a reproducer for this issue, which succeeds in executing the exploit quickly after some fine tuning of the timing for the target system. We verified that the reproducer works on current openSUSE Tumbleweed with policycoreutils 3.10 and the setuid-root bit enabled on seunshare. It does not work on current Fedora 44, as it seems Fedora backported a patch to fix this issue (it passes O_NOFOLLOW to the openat() call in question).

Upstream fixed this issue in commit 38f0a4d9a which is part of of the 3.11 upstream release.

3.2) Process Kill Attack Vector in killall()

seunshare offers --kill and -Z switches as documented in its man page:

-k --kill
       Kill all processes with matching MCS level

-Z context
       Use alternate SELinux context while running the executable

Both switches combined cause the killall() function to kill all processes running with the user-provided SELinux context. This does not fully work for arbitrary target processes due to SELinux access control; however, if the calling user is running in unconfined context (as explained previously) it allows to kill e.g. root-owned processes running also in unconfined context. Once the algorithm reaches its own PID (if the context matches), it kills itself, thus it is possible that only a certain range of PIDs can be killed this way depending on the PID selection order of the algorithm in killall().

We have been able to reproduce the issue both on openSUSE and on Fedora 44 using a command line like this:

seunshare --kill -Z unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 -t ~/some-dir/ -- /usr/bin/true

Upstream fixed this issue by dropping the --kill switch and the killall() function in commit 572db2fa.

4) Remaining Concerns

The code of seunshare has seen major changes between version 3.10 and 3.11 of the SELinux userspace utilities. The new version of the program improves on various aspects of the code; generally the code shows awareness of various filesystem-related security concerns that are relevant for setuid-root binaries. Still a number of concerns remain:

  • Data which is modified in temporary directories within the sandbox is transparently copied back into the calling user’s source directory via rsync. Since the program is untrusted it can potentially create all kinds of dangerous files, which will now reside e.g. in the user’s regular home directory and could lead to security issues at a later time when accessed without care.
  • The code flips the filesystem UID a lot to temporarily drop root privileges for file operations. This logic is hard to follow in parts and leaves the process in an unusual state of privilege, as the effective UID is still 0; during the first stages of the program it also still has all capabilities. Due to the filesystem UID being set to the real user’s UID, file operations are carried out using the calling user’s lower privileges, however. From a design point of view it would be preferable to let the process operate in an unprivileged state by default (effective UID and GID set to the real UID and GID). Privileges could then be raised for the few operations that actually need root privileges.
  • The code currently lacks some common security precautions for setuid-root programs:
    • while a new environment variable block is set up to execute the untrusted target program, the privileged parent process keeps the untrusted environment variables of the calling user in place. These are also inherited to tools like rsync that are invoked for the purposes of setting up the sandbox. While this is not an issue at the moment, it could turn into a security issue at a later time when the code changes.
    • the umask() of the process is also kept unchanged, inheriting whatever the unprivileged parent process configured. This can cause files to receive world-readable or world-writable bits leading to unexpected attack vectors.

5) CVE Assignments

We approached the upstream SELinux userspace utilities developers and suggested to assign CVEs for the two issues discussed above. Upstream informed us that they don’t take care of CVE assignment themselves, however. Since Red Hat developers are also involved with upstream development, we are currently waiting for an agreement on who will assign CVEs to avoid duplicates.

6) Timeline

2026-07-03 We (mistakenly) approached the SELinux kernel code maintainer, asking for CVE assignments for these issues which have meanwhile been fixed in the 3.11 upstream release.
2026-07-03 The SELinux kernel code maintainer forwarded our report to the maintainers of the userspace utilities.
2026-07-06 An SELinux userspace developer informed us that the project is not actively assigning CVEs.
2026-07-07 We responded that we would be able to assign CVEs on our end, but would like to avoid a clash with any CVE assignment plans on the end of Red Hat developers working on SELinux. We thus asked for clarification of who will take care of it.
2026-07-15 Publication of this report.

7) References

the avatar of openSUSE News

openSUSE Asia Summit 2027 Call For Host

openSUSE.Asia Summit 2027: Call for Host

The openSUSE.Asia Summit is an annual conference that brings together openSUSE contributors, users, and Free and Open Source Software (FOSS) enthusiasts from across Asia. It provides a unique opportunity for the community to meet in person, exchange ideas, share technical knowledge, and strengthen collaboration.

As the openSUSE.Asia Summit 2026 will be held in Yogyakarta, Indonesia, the openSUSE.Asia Organization Committee is now inviting local openSUSE communities to submit proposals to host the 2027 summit.

Hosting the summit is a rewarding opportunity to showcase your local community, promote open source technologies, and connect with contributors from across Asia. The organizing committee will work closely with the selected team, providing guidance and sharing experiences from previous events throughout the planning process.

Important Dates

  • 10 August 2026 — Proposal submission deadline
  • 4 October 2026 — Host proposal presentation during openSUSE.Asia Summit 2026 in Yogyakarta, Indonesia
  • 31 October 2026 — Announcement of the openSUSE.Asia Summit 2027 host

Applicants are encouraged to join our regular online meetings before the summit. This is a great opportunity to learn about the event organization process, ask questions, and interact with organizers from previous years.

How to Submit

Please send your proposal to both:

  • summit@lists.opensuse.org
  • opensuseasia-summit@googlegroups.com

Since summit@lists.opensuse.org does not accept email attachments, please upload your proposal to a file-sharing service (such as Nextcloud, Google Drive, or Dropbox) and include the download link in your email.

Proposal Guidelines

Your proposal should include at least the following information:

  • Host city and venue
  • Transportation
    • International access to your city
    • Local transportation to the venue
  • Estimated budget
    • Venue
    • Catering (coffee break, lunch, dinner)
    • Conference dinner
    • Conference tour (optional)
    • T-shirts and event materials
    • Other operational expenses
  • Local organizing team
    • Introduction to your local openSUSE community
    • Experience organizing conferences or community events
    • Expected volunteers and organizing structure
  • Tentative event schedule
  • Potential local sponsors or partners (optional but recommended)

Before preparing your proposal, please read the openSUSE.Asia Summit Tips for Organizers: https://en.opensuse.org/openSUSE:Asia_Summit_Tips_for_Organizers

We look forward to receiving your proposal and welcoming a new host community for openSUSE.Asia Summit 2027. We hope to see your community become the next destination for the openSUSE community in Asia!

a silhouette of a person's head and shoulders, used as a default avatar

Syslog-ng 4.12.0 available for Ubuntu 26.04 (Resolute)

Recently I was asked if syslog-ng supports Ubuntu 26.04 (Ubuntu Resolute). Yes, and with the arrival of the syslog-ng 4.12.0 release we also provide ready-to-use packages for it. The release notes mention it, and info is in the Readme on GitHub.

I tend to mention FreeBSD and openSUSE more often in my blogs (personal preference), so today I installed Ubuntu 26.04 and tested syslog-ng myself.

Read more at https://www.syslog-ng.com/community/b/blog/posts/syslog-ng-4-12-0-available-for-ubuntu-26-04-resolute

syslog-ng logo

the avatar of Nathan Wolf

Linux Saloon 209 | Fedora 44

The content discusses various topics in technology and Linux, such as hardware setups like the Warthunder Sim Rig, font management in Linux, and notable news like the retirement of the “Father of the Internet.” It also covers updates on Firefox, the Steam Machine launch, and Fedora governance changes, along with various resources and upcoming events.

a silhouette of a person's head and shoulders, used as a default avatar

Tumbleweed – Review of the week 2026/28

Dear Tumbleweed users and hackers,

This past week brought a few heart-stopping moments for both our users and the release engineering team!

For our users, the massive size of snapshot 0703 likely came as a surprise. However, the sheer size didn’t actually reflect a massive number of source changes. Instead, it was the result of reconfiguring Tumbleweed to stop building Python 3.11 modules. This shift required us to hand control of the rebuild strategy over to OBS (similar to how we handle full rebuilds for new compilers) and rely on build-compare to filter out unchanged packages.

For the release engineers, the Python change was straightforward. What actually tripped us up was an unfortunate combination of submissions in snapshot 0706, which ultimately had to be discarded. (As a quick aside: snapshots 0704 and 0705 were never built, as that was the weekend the full rebuild without python-3.11 was in progress.) We thought we had pinpointed the issue and reverted the suspected package, only to discover we had only solved half the puzzle.

The real culprits were selinux-policy—which initially looked like the perfect suspect after openQA failed dozens of SELinux tests—combined with an rpm packaging change that split its plugins into optional subpackages. Specifically, the plugin responsible for SELinux labeling became so optional that it was no longer installed by default. In retrospect, it was an easy bug to squash once we understood the root cause. For the technically curious: we simply added Requires: (rpm-plugin-selinux if selinux-policy) to the rpm package. This finally cleared our openQA tests, though it did force us to discard a few snapshots along the way.

Despite the turbulence, we successfully published 4 snapshots (0702, 0703, 0707, and 0708) this past week, delivering the following updates:

  • Removal of python311-* module packages: We are still shipping the Python 3.11 interpreter alongside base modules like pip and setuptools. This ensures you can still use pip/venv to install any necessary modules, though they will now be managed outside the control of openSUSE and zypper.
  • KDE Gear 26.04.3
  • KDE Plasma 6.7.2
  • SDL 3.4.12
  • fwupd 2.1.6
  • Linux kernel 7.1.2 & 7.1.3
  • setools 4.7.0
  • systemd 260.3
  • Mesa 26.1.4
  • GNOME Shell & Mutter 50.3
  • Mozilla Firefox 152.0.4
  • gpg 2.5.21 & gpgme 2.1.2

Let’s take a look at what we can expect in the coming days and weeks.

For starters, we will definitely be putting selinux-policy back into the queue after leaving it reverted for the time being. This will provide the final proof of whether the issue was indeed that tricky combination of submissions, or if rpm was acting up all by itself.

Peeking at the staging projects, integration tests are currently underway for several notable updates:

  • GStreamer 1.28.5
  • SELinux toolchain 3.11, together with selinux-policy
  • linux-glibc-devel 7.1: fix for llvm versions needed; llvm21 in ring as mandatory before we can move on
  • Qemu 11.0.0: 32-bit host support has been dropped. kiwi itself was fixed to no longer depend on the obsolete tools, but the current submission of kiwi introduced a regression, switching Grub2 on our built images from graphical to text mode
  • Podman 6.0.0
  • GCC 16 as the default system compiler
the avatar of openSUSE News

Planet News Roundup

This is a roundup of articles from the openSUSE community listed on planet.opensuse.org.

The community blog feed aggregator lists the featured highlights below from July 3 to 9.

Blogs this week cover usability and printer improvements in Plasma 6.7, a sixth bugfix update for Plasma 6.6, and openSUSE’s support for the XBOOTLDR partition to ease systemd-boot migration. Posts also include a GSoC update on SVG build badges, a new Meteoclimatic plasmoid, a Tellico collection manager update, the July Krita drawing challenge, a retro LCD clock plasmoid, a critique of traditional AI benchmarks, a gVim Wayland guide, Tumbleweed snapshots for week 27, KDE Gear 26.04.3, animation improvements in Plasma, and the Linux Saloon podcast.

Here is a summary and links for each post:

Syslog-ng Java Destination Disabled

Peter Czanik’s Blog announces that Java support is being disabled in all of his syslog-ng packages as a “scream test.” Native C libraries now cover Elasticsearch and Kafka, HDFS has practically disappeared, and the Java drivers were removed from the source code years ago without complaint. The change has already landed in the official openSUSE package, with Fedora Rawhide and git snapshot packages next, and users relying on their own Java driver code are asked to speak up.

Kdenlive 26.04.3 Released

The KDE Blog covers the release of Kdenlive 26.04.3, the final maintenance update of the 26.04 series. The update fixes crashes when undoing sequence creation and when recording audio without an audio device. It also continues the cycle’s security hardening by preventing unwanted command execution on MLT versions older than 7.40.

Thunderbird Listens to Its Community to Improve the Desktop Application

Victorhck translates Thunderbird’s summary of hour-long interviews with ten users about how they manage preferences and settings in the desktop client. Findings include a “set and forget” configuration habit, a desire to cut clutter and cognitive noise from dense settings menus, and confusion caused by overly technical terminology.

The Open Build Service Blog announces an extension to the SCM/CI integration with a new link project step, letting users create project links directly in their workflows. This fills a missing piece needed to allow full project rebuilds for PR/MR sources such as stagings. The update also improves how OBS handles Git branches that do not contain a workflow definition file.

Usability Improvements in Plasma 6.7

The KDE Blog covers the usability enhancements in Plasma 6.7, including drag-and-drop favorites management, a more intuitive Discover software center, and faster virtual desktop switching in the Overview effect. The update also introduces an autocomplete mode for desktop file selection and easier time zone comparison in the Digital Clock widget.

The Illusion of Benchmarks: Traditional KPIs Don’t Make Sense for Measuring LLMs

Alessandro’s Blog argues that traditional benchmarks and KPIs are misleading when applied to large language models. Unlike conventional software, LLMs behave probabilistically and may ace academic tests while failing at real-world business tasks. The post warns that benchmark scores have increasingly become marketing tools rather than meaningful measures of actual capability.

Sixth Bugfix Update for Plasma 6.6

The KDE Blog announces the sixth bugfix release for Plasma 6.6, arriving nearly two months after the initial release. The update continues KDE’s regular maintenance cycle with stability improvements, better translations, and error resolution across the desktop environment.

Support of XBOOTLDR in openSUSE

openSUSE News explains how the XBOOTLDR partition provides an escape hatch for systems with insufficient ESP space when migrating to systemd-boot. The new partition can live anywhere on the disk and frees the ESP from storing kernel and initrd files. The post includes practical steps for creating the partition, configuring mount points, and migrating boot entries.

Meteoclimatic Plasmoid for the KDE Plasma Desktop

Victorhck introduces his first KDE Plasma 6 plasmoid, which displays real-time weather data from Meteoclimatic amateur weather stations directly on the desktop. The widget supports configurable font size, color, opacity, and background visibility. The code is hosted on Codeberg for easy installation and customization.

Printer Improvements in Plasma 6.7

The KDE Blog highlights the printing enhancements in Plasma 6.7, including a system tray printer icon that now shows active job counts. A new print queue management tool offers advanced multi-printer administration while remaining accessible for home use, and connecting to shared printers on Windows networks has been simplified.

Krita July 2026 Drawing Challenge #KritaChallenge

The KDE Blog promotes the monthly Krita drawing challenge for July 2026 with the theme “An Imaginary Friend.” Entries must be at least 90% created in Krita with no AI-generated content allowed. The winner earns the right to choose the next month’s theme and receives a featured spot on the site.

New Tellico Update

The KDE Blog announces Tellico 4.2.1, the latest release of KDE’s collection manager. The update refreshes data sources for Google Books, Google Scholar, and Colnect, and adds support for multiple ISBN values and a user-defined data fetch argument. The release continues the application’s migration to Qt6 and KDE Frameworks 6.

The Machinist

Jakub Steiner shares a brief personal reflection prompted by a recovered memory during a run, recommending Christian Bale’s film “The Machinist.” The post praises the movie’s mood, acting, and the director’s use of industrial imagery without revealing plot details.

GSoC Update 1: Can SVG Build Badges Update Themselves?

Mario’s GSoC Blog explores whether SVG build badges generated by obs-status-service can self-update in Gitea. Testing reveals that JavaScript inside SVG runs when embedded as an <object> or <iframe>, but not as an <img>, which is how Markdown renders images by default. The post concludes that live-updating badges are possible if Gitea serves them as objects, with a fallback to static server-side rendering for img contexts.

Retro LCD 7-Segment Clock – Plasmoids for Plasma 6 (34)

The KDE Blog presents the 34th installment in its plasmoid series, featuring a retro LCD 7-segment clock widget for Plasma 6. Created by corral76, the minimalist widget offers customizable colors, font, time format, blinking colon, shadow toggle, date display, and an alarm feature.

Linux Saloon 208 | News Flight Early Edition

Nathan Wolf’s Blog covers the latest Linux and technology news, including hardware builds like the Warthunder Sim Rig, font management in Linux, and Firefox updates. The episode also discusses the Steam Machine launch, Fedora governance changes, and the retirement of the “Father of the Internet.”

Improving Animations – This Week in Plasma

The KDE Blog translates Nate Graham’s weekly Plasma report, highlighting animation improvements coming in Plasma 6.8 with better physics models and smoother notification sliding. The post also covers bugfixes across Plasma 6.6.6, 6.7.2, and 6.7.3, including KWin crash fixes, display corrections, and security hardening for task manager widgets.

Make gVim clientserver work with Wayland

FreeAptitude’s Blog provides a guide for getting gVim’s clientserver functionality working under Wayland, building on a previous Dolphin service menu for opening files in gVim tabs. The post addresses the compatibility challenges between the X11-based clientserver protocol and Wayland’s security model.

Tumbleweed – Review of the Week 2026/27

Victorhck and Dominique Leuenberger report on three published Tumbleweed snapshots (0627, 0628, 0630) with updates to libzio 1.15, Mozilla Firefox 152.0.3, gpgme 2.1.1, and Pango 1.58.0. In-progress staging includes KDE Gear 26.04.3, KDE Plasma 6.7.2, Linux kernel 7.1.2, Mesa 26.1.4, Podman 6.0.0, and Qemu 11.0.0 dropping 32-bit host support.

Third Update of KDE Gear 26.04

The KDE Blog announces KDE Gear 26.04.3, the third bugfix update for the KDE applications suite. Notable fixes include Elisa properly switching audio output devices when the global output changes, KDE Connect resolving file transfer issues when notification sending is enabled, and Kdenlive fixing the playback head disappearing during preview.

View more blogs or learn to publish your own on planet.opensuse.org.

a silhouette of a person's head and shoulders, used as a default avatar

Syslog-ng Java destination disabled

For many years, syslog-ng used Java, where C libraries were unavailable. However, over the years native C libraries became available for Elasticsearch and Kafka, and HDFS practically disappeared. As a “scream test”, I am going to disable Java support in all of my syslog-ng packages.

Once upon a time, Java support was added to syslog-ng to be able to load Elasticsearch Java drivers. Later, Kafka, HDFS, and a generic HTTP destination were also added. Unfortunately, using Java was a major pain. Loading libraries required some manual configuration. Packaging the Java destination in official Linux distribution packages was possible, however, packaging the actual drivers written in Java was impossible. For a while, I maintained unofficial packaging for these drivers, but as C alternatives appeared, I removed these components. Nobody complained. Recently all drivers, except for HDFS, have been removed from the source code as well. Again: nobody complained.

Right now, we still have HDFS support in the source code, but not for long. I have been posting about it for years now, and nobody asked us to keep it. This is the last driver making use of the Java destination of syslog-ng. We will delete it soon, too.

We do not delete code related to Java right now. However, as a “scream test” I am going to disable the Java destination in all my packages. I have done it already in the official openSUSE syslog-ng package. Fedora Rawhide is next. I will also remove it from my git snapshot packages.

If you use Java with your own driver code, let us know! Otherwise, the Java destination will be not just disabled in packages but removed from code as well.

syslog-ng logo

the avatar of Open Build Service

SCM/CI: Project Links and Better Handling of Disconnected Branches

We have some news to share regarding the SCM/CI integration for the Open Build Service. The feature has been extended with a link project step, allowing you to create project links in your workflows. On top of that, we improved the handling of Git branches that do not contain a workflow definition (workflow.yml file). Link Projects in Your Workflows One missing piece for SCM/CI integration, needed to allow full project rebuilds for PR/MR sources (stagings),...

the avatar of openSUSE News

Support of XBOOTLDR in openSUSE

More Space

openSUSE moved to BLS some time ago using the bootloaders systemd-boot and GRUB2-BLS that nowadays is mostly a repackaging of the traditional GRUB2, as the main patches are already merged since 2.16.

This decision also required more space in the ESP partition, as now the kernel and initrds of all snapshots are stored in /boot/efi/$TOKEN, where $TOKEN can be the machine-id, opensuse-tumbleweed or opensuse-microos, depending on the installation. For new installations, this is not a problem since the installer (YaST or Agama) will recommend a large (1 GB) partition; for older installations, the migration can be problematic, to the extreme that if the partition cannot be resized. It is advisable to keep the old GRUB2-EFI bootloader.

But if we decide to use systemd-boot, there is a escape hatch: XBOOTLDR

A New Partition

XBOOTLDR is a new partition that can live anywhere in the disk. The ESP has some limitations in that regard, and usually is the first partition in the system. If present, systemd-boot will look for the menu entries and the kernel / initrds in there, freeing the ESP of that responsibility.

The file system of this partition needs to be also FAT32, like the ESP as this is a limitation of the UEFI, and during the creation needs have a specific GPT identifier (GUID). With fsdisk, we can create a new partition and assign the type 142 or xbootldr; this will assign the correct GUID into the partition table and systemd-boot will recognize it.

Mount Points

Because of this new partition, the mount points needs to change too. As commented, the traditional place where openSUSE put the ESP is in /boot/efi but now we have two places. The UAPI recommendation is to have always the boot entries and the kernel in /boot, and only if there is a separated partition for the boot loader, then this will be placed in /efi. Because this is the case now, we will need to update out /etc/fstab:

UUID=4165-E891 /efi  vfat utf8,dmask=0077,noexec,nodev,nosuid,nosymfollow 0 2
UUID=414C-528C /boot vfat utf8,dmask=0077,noexec,nodev,nosuid,nosymfollow 0 2

Change the UUID to point to the correct device.

sdbootutil can find both partitions and write in the correct place now, depending if we are updating the bootloader or adding new entries.

Now we can move the boot entries and the kernel directories, both placed in the old /boot/efi/loader path. We can manually move it into the new partition, just keep loader/random-seed and loader/loader.conf in the old place, but the rest of the loader/ directory can be moved.

More information about a more detailed description can be found in the following section:

Further Documentation

a silhouette of a person's head and shoulders, used as a default avatar

The Machinist

I couldn't remember something for weeks. It popped into my head during a run — a relief, even though the memory itself was not pleasant. This episode of my flaky mind reminded me of this movie.

I won't give you even a hint of what the movie is about. The strength of it is not the premise, but the mood, the superb acting and Christian Bale's physical dedication to the role impressed me, alongside a cast of wonderfully weird characters and ominous presence of giant spinning machines. If you somehow missed the movie, give it a go. It's one of those that keep coming back to you.