communication #164236: RFC: Prefer AppArmor in infrastructure policy - openSUSE admin - openSUSE Project Management Tool

Actions

Copy link

communication #164236

closed

RFC: Prefer AppArmor in infrastructure policy

Added by crameleon 4 months ago. Updated 4 months ago.

Status:

Resolved

Priority:

Normal

Assignee:

crameleon

Category:

Compliance

Target version:

Start date:

2024-07-20

Due date:

% Done:

Estimated time:

Description

Currently our policy states:

Services reachable over the network should be protected with the default Mandatory Access Control System provided by the distribution (AppArmor or SELinux).

The wording "default" will make various Tumbleweed systems uncompliant after the default MAC system gets changed:
https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/YN4TCBCU4A2V5G2MWR5EWYF46267BO7F/

Current status:

We exclusively use AppArmor and actively maintain profiles for various applications.
Non-distribution packages used in our infrastructure only ship AppArmor profiles.
The majority of our active administrators are experienced with AppArmor.

I do not think any of the above points will change soon - unless there is some eager volunteer wanting to transform AppArmor profiles into SELinux policy modules (and more importantly, wanting to maintain those going forward).

Hence I propose to change the wording slightly:

Services reachable over the network should be protected with a distribution provided Mandatory Access Control System (preferably AppArmor, alternatively SELinux).

(I understand that this can be considered an opinionated change.)

Related issues 1 (0 open — 1 closed)