As advanced Linux users, we all strive for a truly hardened system but the reality is, the choice of distros drops dramatically when you demand strong security, SELinux support, and trustworthy package maintenance.
Most distros either lack SELinux by default or require complex manual setup, including recompiling core packages with libselinux a time-consuming and impractical task for most. Even if you manage it, you’re still exposed to risks like compromised maintainers or backdoored packages, as seen in the recent xz backdoor incident.
True security means more than just full disk encryption or a firewall. It requires:
SELinux enforcing out of the box
Minimal attack surface
Trusted, audited package repositories
Secure boot and verified integrity
Yet, only a handful of distros meet these standards: Fedora, RHEL, Qubes OS, Gentoo stand out.
Others like Arch, Debian, Linux Mint, Ubuntu, MX Linux, Devuan, Kali, Parrot, Zorin OS, Black Arch, Garuda, Void, Alpine require extensive hardening and still fall short on default MAC enforcement.
There are 100s of linux distro out there but only handful of them can be picked out. I really feel sad sometimes we don’t have many choice like beginners in linux. It sorta feels like a parent watching their kids the kids have all the happiness no worries about anything they can do anything they want but the parent has so many responsibilities to taken care of.
Most distros either lack SELinux by default or require complex manual setup,
What’s with apparmor?
On Debian based systems app armor is used instead of SELinux.
While I acknowledge that SELinux is way more fine granular, I don’t see why apparmor can’t be used instead of SELinux.
Others like Arch,
Arch doesn’t even have an actual installer nor a GUI by default.
It is a do-it-yourself distro. So yeah.
SELinux offers finer-grained control and stronger isolation. It has user roles for eg: user_r role assign to alice now alice doesnot have access to sudo at all she can’t do any administration taks but she can do daily activities like browsing, coding, etc. even if alice user gets compromised the attacker has only privileges as much as alice. the attacker cannot spy on other user process very restrictive environment if you know you are compromised you can easily delete the user and create another user with user_r role. This level of security and convenience you cannot get from apparmor. what i mentioned is just tip of ice berg there are many powerful features selinux has which is amazing.
last year only they adopted selinux i can’t judge whether its good or bad distro but they are moving on in the right direction by adopting selinux to increase security.
While yes this is true almost nobody is setting up an entire full policy set themselves. Most distros come with pretty bare bones policies by default and there is no online user repository containing a large amount of already created and working policies like there is with apparmor (see apparmor.d). In fact I would recommend apparmor over selinux for this very reason as you can just set and forget while with selinux you would have to spend an exceeding large portion of time to create a similar policy set
I agree there are large number of policies available out there for apparmor but the policies is written by some other users we don’t how much secure it is we are blindly trusting the policy created by others. Blindly trusting the policy created by other user will put us in huge risks if a malware infected the system. On the other hand for selinux if you are only going to use the system for general purpose like browsing, coding you can create selinux user with user_r role. all apps running inside this user_r role runs in confined domain its very secure. You can easily achieve this secure restrictive environment in just one command.
sudo useradd -Z user_u user
When confined, even a compromised root user cannot access or modify files belonging to other users unless explicitly allowed by policy.
Sure, so if it’s not development you need, then you should be using Flatpak for applications. And if you aren’t using that, then ujust has ways to run applications in sandboxes. Is there something missing here?
Or to be more specific, what advanced feature are you lacking in other distros that say the ones you mentioned don’t provide? I’ve hopped for a while, and honestly I stopped needing bells and whistles and just want something with the most same defaults.
flatpak uses bwrap underhood which is nightmare for hardened system you need to Enable unprivileged user namespaces which is not secure you can use setuid as solution but still its bad idea. there has been many vulnerabilites in the past that escaped bwrap sandbox.
Good sandbox tool other distro has flatpak (bwrap), firejail, landrun etc. all these apps has pros and cons. The good thing about selinux supported distro is it has good sandboxing tool its easy to use and is more secure than bwrap.
There are many distro out there but the problem is You must trust the distro’s maintainers , as they have root-level control over updates.
Fedora (Red Hat), Debian(community with strong governance) has widespread adoption and its backed by organization.
As someone who is Linux first security second, I personally trust the Secureblue team to offer reasonable defaults, and that flatpaks I installed are not from risqué vendors. I don’t look for perfect security, but the best zero config from a Linux perspective, and unprivileged user namespaces isn’t in my top concern. I like the stability of atomic, immutability of core systems, and focus on flatpak for reasonable security.
I suppose my question is, are these concerns worth raising with SecureBlue to help elevate their project? Or are these concerns mainly applied to those who want strict security? Or are these threats better locked down in specific repositories?
Mainly looking for actionable advice for those who want 0 config (or minimal low risk updates) towards security. I’m not very well versed in Linux security, so I ask these for learning.
Would you mind sharing some source which actually backs that up?
Which integrity? Ootb Secure Boot is a joke on the distros you mentioned.
So do the distros you mentioned
Did you check how much runs unconfined, including the domains which are quasi unconfined, but are not named this way, on the distros you mentioned? Because I can tell you, that Fedora’s/RHEL’s Selinux policy is very lax.
Gentoo is how you make it. There is no default.
This does not automatically make bwrap a nightmare for a hardened system. You need to enable unprivileged user namespaces in the kernel anyway, if you intend to use a modern browser on your system, while maintaining the browser’s sandbox layers. Btw., Selinux’s sandbox utility, which you recommend, uses seunshare which is SUID.
This does not automatically make bwrap a nightmare for a hardened system. You need to enable unprivileged user namespaces in the kernel anyway, if you intend to use a modern browser on your system, while maintaining the browser’s sandbox layers.
browser can fallback you don’t need to enable unprivileged user namespaces. on hardened Linux kernels , unprivileged user namespaces are disabled by default for security reasons. Unprivileged user namespaces increase the kernel’s attack surface. They have been involved in multiple privilege escalation vulnerabilities (e.g., CVE-2016-3135, CVE-2020-5291).
SELinux enforcing out of the box
Sorry yout got it wrong here i am talking about first class support for selinux. I am not just relying on default policies instead confine users, write policies for custom appplications, etc.
Selinux’s sandbox utility, which you recommend, uses seunshare which is SUID.
Yes its true but atleast it gives me the freedom of not enabling the unprivileged user namespaces.
Which integrity? Ootb Secure Boot is a joke on the distros you mentioned.
You can manually Use Unified Kernel Images (UKI) (Fedora 40+) to bundle kernel + initrd + cmdline into a single signed EFI binary then you have end-to-end verified boot integrity
Gentoo is how you make it. There is no default.
Gentoo has selinux support you can use stage3 hardened + selinux. It’s has selinux support that’s why its included.
Would you mind sharing some source which actually backs that up?
Fedora and Debian have been around for decades—Debian since 1993 and Fedora since 2003—earning widespread trust for their stability, transparency, and strong security practices, which is why security-focused operating systems like Qubes OS, Kicksecure, Tails, and SecureBlind build on them.
Once you’re advanced and knowledgeable enough, it doesn’t matter which distro you use if we’re honest. You can always make it good enough starting from a blank slate.
Some make it a breeze or a very unique in the way they work, others are just a million-th variant of Arch/Debian with an Arianna Grande as the default wallpaper and call themselves a distro.
I’d say that we do have some of those unique distros from PG’s recommended page that we can iterate from.
My main gripe and hate/love relationship is how annoying it is to mix and match each distro’s needs, hence I sometimes just give up and use a basic Ubuntu (mostly speaking for servers here, not end user environment).
Still, I think that 2 path can be extremely rewarding and nice for people in the advanced tier[1] that would like to go even further:
Arch, do you own thing from scratch and enforce it as hard as you can/want, then export and import your settings with bash/other tools
NixOS, literally version-file your entire system and never have regression while at the same time knowing exactly what’s where on your machine and stop being bothered by trying to remember where do you put those fonts files or those config files to have the app shortcut on your desktop
Arch is definitely popular and quite a lot of variants seeded out of it for very good reasons making it extremely cool for newcomers.
NixOS is the end-game for end-user + servers without going on the Ansible band-wagon IMO.
Most of those are very useless ones or super niche hardcore without a lot of benefits to them specifically IMO.
And can be totally forgotten.
Kinda the burden of being a parent yes.
But at the same time, if your network/digital hygiene is overall clean, you might not need to worry too much.
And yes to what Jonah said below
not sure I’d call myself an advanced Linux user but I do at least have quite some experience in that OS as a whole ↩︎
What are the other distro choices going to do for you though, when you can install whatever desktop environment or program you want on Fedora?
Your software choices in the Linux ecosystem remain virtually infinite. What choosing a distro does basically boils down to the package manager you want to use, and whether the software you choose to install is configured sanely by default. When it comes to the latter, it makes sense that only a few or one options will end up having the best defaults, but you can still change things to your hearts content
It seems to me you are downplaying the importance of secure implementation of kernel parts such as hardened_malloc.
This is how I look at it: let’s take Signal for example. It’s settings are “almost perfect” AND practicality is retained ootb. For example Signal only collects phone numbers(hashed), last connection time, registration date. Also metadata is stripped when you send photos through Signal.
Signal is good enough for most use cases but it is a starting point for advanced users. Desktop Linux seems way too lax for no good reason. Simply put if the defaults are broken then the entire system is broken to begin with.
to what Jonah said below 
