I was wondering if native MAC module support should be a criteria.
I say this because I was going through NixOS and realized that it has some sort of partial MAC support that is limited to an AppArmor alias workaround for individual or mass but not global security, thanks to the no-FHS complaince.
The lack of a native MAC that supports the distro’s file hierarchy system seems an item that we should bring to others’ attention. In my opinion, it undermines the security of this distro. If someday they can bring AppArmor to a native parser adaptation, the distro should be recommended, but as it is now, it has this small detail that detracts it from being in a praised podium.
My guess is setting up MAC via SELINUX and AppArmor is still a pain and not worth the effort for general users that are not looking to secure their systems as much as possible.
PG does have a section regarding MAC. PG also warned that for Arch Linux users, they are expected to be knowledgeable to secure their desktop properly, including MAC, kernel module blacklists, etc.
To clarify, I want to make it clear that the situation is not the same for Arch. With Arch, we can install AppArmor via pacman, install Apparmor.d via the AUR (or some other method that the Arch user prefer), enable Apparmor.d in the Full System Policy, and automate the upstream-sync weekly (or any user frequency preference) profile updates. I understand that this provides a level of MAC (Mandatory Access Control) support comparable to what Fedora provides with SELinux. Of course, on Arch, you must configure all the steps I just shared, which is currently not achievable with NixOS for the parts that I highlighted.