Note that users defined with an explicit UID below 500 are exempted from this check, as <xreflinkend="opt-users.users._name_.isSystemUser"/> has no effect for those.
</para>
</listitem>
<listitem>
<para>
The <literal>security.apparmor</literal> module,
for the <linkxlink:href="https://gitlab.com/apparmor/apparmor/-/wikis/Documentation">AppArmor</link>
Mandatory Access Control system,
has been substantialy improved along with related tools,
so that module maintainers can now more easily write AppArmor profiles for NixOS.
The most notable change on the user-side is the new option <xreflinkend="opt-security.apparmor.policies"/>,
replacing the previous <literal>profiles</literal> option
to provide a way to disable a profile
and to select whether to confine in enforce mode (default)
or in complain mode (see <literal>journalctl -b --grep apparmor</literal>).
Before enabling this module, either directly
or by importing <literal><nixpkgs/nixos/modules/profiles/hardened.nix></literal>,
please be sure to read the documentation of <linklinkend="opt-security.apparmor.enable">security.apparmor.enable</link>,
and especially the part about <xreflinkend="opt-security.apparmor.killUnconfinedConfinables"/>.
</para>
</listitem>
<listitem>
<para>
The GNOME desktop manager once again installs <package>gnome3.epiphany</package> by default.