Project

General

Profile

Actions

communication #164236

closed

RFC: Prefer AppArmor in infrastructure policy

Added by crameleon 4 months ago. Updated 4 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Compliance
Target version:
-
Start date:
2024-07-20
Due date:
% Done:

0%

Estimated time:

Description

Currently our policy states:

Services reachable over the network should be protected with the default Mandatory Access Control System provided by the distribution (AppArmor or SELinux).

The wording "default" will make various Tumbleweed systems uncompliant after the default MAC system gets changed:
https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/YN4TCBCU4A2V5G2MWR5EWYF46267BO7F/

Current status:

  • We exclusively use AppArmor and actively maintain profiles for various applications.
  • Non-distribution packages used in our infrastructure only ship AppArmor profiles.
  • The majority of our active administrators are experienced with AppArmor.

I do not think any of the above points will change soon - unless there is some eager volunteer wanting to transform AppArmor profiles into SELinux policy modules (and more importantly, wanting to maintain those going forward).

Hence I propose to change the wording slightly:

Services reachable over the network should be protected with a distribution provided Mandatory Access Control System (preferably AppArmor, alternatively SELinux).

(I understand that this can be considered an opinionated change.)


Related issues 1 (0 open1 closed)

Related to openSUSE admin - communication #164718: 2024-08-01 18:00 UTC: openSUSE Heroes meetingClosedopensuse-admin2024-07-30

Actions
Actions

Also available in: Atom PDF