communication #164236
closedRFC: Prefer AppArmor in infrastructure policy
0%
Description
Currently our policy states:
Services reachable over the network should be protected with the default Mandatory Access Control System provided by the distribution (AppArmor or SELinux).
The wording "default" will make various Tumbleweed systems uncompliant after the default MAC system gets changed:
https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/YN4TCBCU4A2V5G2MWR5EWYF46267BO7F/
Current status:
- We exclusively use AppArmor and actively maintain profiles for various applications.
- Non-distribution packages used in our infrastructure only ship AppArmor profiles.
- The majority of our active administrators are experienced with AppArmor.
I do not think any of the above points will change soon - unless there is some eager volunteer wanting to transform AppArmor profiles into SELinux policy modules (and more importantly, wanting to maintain those going forward).
Hence I propose to change the wording slightly:
Services reachable over the network should be protected with a distribution provided Mandatory Access Control System (preferably AppArmor, alternatively SELinux).
(I understand that this can be considered an opinionated change.)