I’ve been attempting to install tor browser on secureblue. At every turn something has prevented it from launching. so far best I can tell its a userns problem, but even the ujust command to enable that has not fixed it. I would really love advice about this. if I cannot use tor browser on this os it is practically unusable to me.
Did you disable hardened_malloc for Tor only?
AFAIK it doesn’t play well with Firefox
4 Likes
If Firefox is built with --enable-replace-malloc it would work.
1 Like
flatpak install https://dl.flathub.org/repo/appstream/org.torproject.torbrowser-launcher.flatpakref
flatpak --user override --env=LD_PRELOAD= org.torproject.torbrowser-launcher
1 Like
You would still run into the same problem and have to remove LD_PRELOAD from the Flatpak.
1 Like
Running Tor Browser with a weakened sandbox due to Flatpak is not a good option. Better layer it.
Better to just run Tails in a VM?
but then you’d have to ujust with-standard-malloc tor-browser-launcher in a terminal each and every time
Have you thought about using Whonix via virt-manager?
If that is a bit too much work for you, you can also use Gnome Boxes or Distro Box to run Tor Browser in just about any Linux distribution you want within SecureBlue
3 Likes
So what is the recommended way to install Tor on Secureblue?
@RoyalOughtness could you please let me know what the recommended way is to install Tor (and other browsers)? I am not on Discord and do not know where else to get support. Thank you!
I don’t know how much this matters but the secureblue FAQ has a warning about this practice.
1 Like
If the YouTube video I watched earlier was accurate, they are going to integrate browsers through Bazaar once it is ready, then flag the Flatpak versions and block them.
Thanks, but I am still confused on how to install Tor (and other browsers). I find it very difficult to get info/tutorials on Secureblue - I am willing to learn but if there are is no support it seems impossible for a beginner.
I don’t know if it is possible to securely install other browsers at present. Secureblue is such a new project. I would recommend booting Tails if Tor is required or Mullvad Browser + VPN on another distro in the meantime. There are ways to route all traffic through Tor if you want to use Trivalnet + Tor. It isn’t a substitute for Tor Browser though.
There are other reasonably secure atonic Fedora based distributions that will make migrating easier once secureblue is ready. Ostree is the reason you are struggling to install Tor Browser however.
- Install either via download or layer torbrowser-launcher via rpm-ostree
- Enable unprivileged user namespaces for unconfined_t domain via ujust (or write a Selinux policy for tor browser)
- start tor browser without hardened malloc (via ujust)
1 Like
That is my understand as well.
Thanks, but this is what I mean: as a beginner, what even is layering (and how to do it)? what are namespaces? I cannot find any beginner-friendly tutorials on all these things. And most importantly: would installing an app in such a way be a security risk?
I believe secureblue is immutable, so you can’t modify the core system. Non-Flatpak applications can be added on top of but not tightly integrated into the core OS. This is to prevent malicious programs interfering with root system files, which keeps you safe. The downside is this also reduces functionality if configuration files cannot be edited. Unless the developer verifies and intergrates an application at that deep level the system will reject it. Flatpak is sandboxed so it runs without interfering with the core OS. But sucure browsers are actually less secure in this environment. If you want to install new programs, as a begginer, then wait for the OS to mature. The developers are working on an easy way to layer browsers into the system.
I would reccomend regular Fedora, where these browsers can be installed natively, without Flatpak. It is still private but slightly less secure. Since sucureblue is based on Fedora you will learn valuable skills before switching to secureblue. It may even be possible to ‘upgrade’ to an immutable version of Fedora then switch to secureblue without reinstalling. But I’m not certain about that.
1 Like
I suggest to use whoonix/tails via virt-manager.
It’s the most secure and privacy way to do it and it should be the recommended way.
1 Like