Consider moving cryptopolicy related rules from fips group to crypto group #13852
Description
This issue is a follow-up to #13840
Basically, currently we have three rules which are located in the fips group and at the same time they are related to specific modifications of cryptopolicies.
- fips_crypto_subpolicy
- fips_custom_stig_sub_policy
- and possibly also fips_crypto_policy_symlinks
Before the PR mentioned above was merged, the whole fips group had a platform in group.yaml which made it inapplicable in containers, bootc systems etc.
And this mostly makes sense because FIPS mode is achieved differently in containers and immutable systems.
The PR was rather a quick fix.
I think that ideally rules mentioned above should be moved to the crypto group which has no applicability restrictions.
And at the same time, the applicability of rules in the fips group could return back to the group.yml.
The thing which remains to be solved is to later ensure proper rule ordering in the crypto group. Especially the rule fips_custom_stig_sub_policy caused problems when it was placed after the general configure_crypto_policy rule. The problem was that when remediating (imagebuilder), the remediation of configure_crypto_policy could fail in case the fips:stig is configured, because it tries to configure policy which does not exist yet.
Of course, this would not happen if fips:stig would be shipped directly in the distro.
Ideas and comments welcomed.