How does a person’s experience change their threat model?
ujust --choose then choose install-vpn in the menu.
1 Like
I think the developer just hate Gecko-based browsers he could easily make a ujust --choose menu for other browsers.
1 Like
I wouldn’t say he hates Gecko-based browsers, but he definitely does not put in effort to make other browsers work without the need to sacrifice overall system security, since Trivalent is considered the browser on Secureblue. You still need to disable some of the unprivileged user namespaces restrictions for other browsers to work, not just Geck-based ones. For other Chromium-based browser it would just need a simple fix to get them to work on Secureblue, while still keeping user namespace restriction for unconfined_t active.
Most Chromium-based browsers share the vast majority of Selinux rules to get them to work. There is already a policy for Trivalent which could be adjusted for other Chromium browsers or the Chromium rules refactored and split out into a separate module. In the most basic form it only needs additional file context rules, and maybe some small adjustments for some special use cases like a browser shipping a VPN. Or you split out general Chromium rules and have small per-browser policies sharing these rules, for example via attributes.
For Firefox-based browsers it would mean quite more work, since you would need a base policy for Firefox first, but for some commonly used Chromium-based browsers it wouldn’t be a big deal to make them work by default on Secureblue.
I can understand that a project with only a few core contributors needs to be very careful with their resources and time, but in this case it might be worth putting some time into it, since this is probably a common issue for users.
1 Like
So when installing tor or any other browser like Brave by layering the way you described, would that be “worse” in terms of security than using these browser on Windows?
Regarding Wireguard: my problems I am encountering don’t even seem to be Seureblue related as the VPN does not work with other distros either, I tried regular Fedora, Ubuntu and Mint. But the config-file is correct since it works without problems in Windows (with the Wireguard app).
I agree that this is likely their posture - but to be fair , I think they have ‘moved’ away from being too strict as the project has progressed. I have recently installed Secureblue and can honestly say it was a ‘Graphene OS’ like moment . I am naturally interested in privacy but am non-technical and less ‘interested’ in security - so I want OS’s that are as secure as possible while still allowing PG approved privacy apps to run effectively.
I read all the Secureblue FAQs and their Deepwiki and checked on Flathub that key privacy apps existed so I knew what to expect.
I was pleasantly surprised that I could set up Mullvad VPN so easily
I initially set up the FF/MB/TB trio via Flatpak ( only really having to disable hardened malloc in Flatseal )
I ditched FF when I found that Trivalent worked without problem for my set of logins …
I uninstalled MB and TB Flatpaks after reading about the MB app being non-approved and SHA123 describing layering .
TB and MB are both now layered via rpm-ostree ( MB helped by the fact that the Mullvad repo was already installed for Mullavd VPN ) , so this was literally rpm-ostree install mullvad-browser.
The only ( fairly significant disadvantage) is that the harden-malloc needs turned off via ujust every time i use MB/TB ( vs the Flatpaks where it is turned off permanently )
I my view , I have moved to a much more secure system while not having to give up any of my ( strongly held ) privacy principles and I have Mullvad VPN , Mullvad Browser and Tor Browser all working fairly easily .
Secureblue is completely free , SHA123 has pointed out it is a small group of dedicated people running it and , in my view, it is way ahead of Windows/Apple.
If I have a bit of inconvenience to remind me to undertake ‘mindful browsing’ it’s a price I am prepared to pay.
Have a good day everybody
That is what I did and mullvad app comes up blank.
It worked fine on my last install a couple of weeks ago.
I installed Mullvad yesterday, but I was not getting internet. However, I installed ProtonVPN instead and it worked?
Try run0 systemctl enable --now mullvad-daemon and reboot.
Maybe you need to enable XWayland?
I did that. I’ll probably try it again at some point.
I just wanted to share some more thoughts.
I am not any longer angry with Secureblue.
I really hope I am not out of line saying this, and this applies to me as I am guilty of not wanting to put the work in sometimes figuring out new systems. I got so used to the “I want it now, I want it fast” ungrateful mentality.
I think Secureblue should stay the course and lock down stuff, even if it breaks convenience features. It is my responsibility to learn the OS and not the Developers responsibility to dumb it down for me by making a gradually less secure OS to please everyone. On top of that, taking away needed time focusing on security and or privacy development.
In my later years I have learned the value of “Time”. Once gone it can’t be reclaimed. If not for developers putting in the time, their own time, especially with little donations, this digital world could be a lot worse.
If someone wants security and or privacy bad enough, they’ll seek it, learn it and apply it.
I write this because of my own passive aggressive statements about Secureblue and some self reflection on my attitude in general and I am sorry for the unproductive comments and ungratefulness that someone, somewhere is putting in the time so I can have a more secure OS at no cost to those who don’t have a lot of money to donate.
Nothing wrong with questions or discussions. Please don’t misunderstand.
I would hate to see any developer in the privacy and security domain succumb to dumbing down an OS or project at the cost of security and or privacy just to make it work for those who are too lazy to do their own work and learn the software or tools.
1 Like
Oh, I am not mad or upset at the developer either! I am very thankful that projects like Secureblue exist, where people put energy and time into something without even getting paid.
I also understand why certain things do not work or can’t work. My issue is just that I really want to learn more about it, learn how to do certain things, how to make them work on Secureblue, and that is unfortunately not possible for beginners. And that is a shame IMHO. I think it should be made possible for beginners as well to use distros that have better security so that they aren’t “forced” to use something that might offer good privacy but lacks in security.
No worries, I was not fingering any individuals other than myself and random complaints I have seen over the years.
There’s a lot of stuff to respond to in here, so I’m gonna do it all in one big post. In the future though please direct these questions to our Discord 
.
Distro Box
a warning about this practice.
Yes, the warning is just to inform the user not to treat Distrobox as a sandboxing tool
So what is the recommended way to install Tor on Secureblue?
I would recommend using it in a VM. We recently shipped virt-manager OOTB, which you can use to provision a VM for Tor Browser. FAQ | secureblue
If the YouTube video I watched earlier was accurate, they are going to integrate browsers through Bazaar once it is ready, then flag the Flatpak versions and block them.
Correct, see the Flatpak section of this guide. That said, support for a nested, per-app user namespace toggle may be coming to flatpak according to Sebastian Wick, which is great news. 
if there are is no support it seems impossible for a beginner.
Highly responsive community support is available on the Discord.
- Install either via download or layer torbrowser-launcher via rpm-ostree
- Enable unprivileged user namespaces for unconfined_t domain via ujust (or write a Selinux policy for tor browser)
- start tor browser without hardened malloc (via ujust)
A VM is of course preferable to this, but what you’ve described is unfortunately preferable to the flatpak, because of the same issue with flatpaked browsers described here.
I believe secureblue is immutable,
you can’t modify the core system
Incorrect on both counts, please read our FAQ.
what even is layering (and how to do it)?
what are namespaces?
I have already explained that sucureblue is not yet ready for general use. It is still in an early development stage.
This is not accurate. Secureblue is ready for general use.
Some hardened OSes intentionally make apps like Tor Browser difficult to run unless you relax certain security assumptions.
We don’t intentionally make it difficult to run. It has incompatibilities with hardened_malloc and needs userns, both of which we provide convenient toggles for.
I think the developer just hate Gecko-based browsers he could easily make a ujust --choose menu for other browsers.
There’s a difference between analyzing software relative to its competitors and hating said software. In any case, what you mentioned would amount to an anti-feature that enables users to shoot themselves in the foot. See the earlier link to why using a Firefox-based browser on secureblue is contradictory.
think they have ‘moved’ away from being too strict as the project has progressed.
If you say so 
. The goal has always been the same. Sane defaults with toggles to undo hardening as needed.
that the harden-malloc needs turned off via ujust every time i use MB/TB ( vs the Flatpaks where it is turned off permanently )
Please open a feature request for this
We should put this right into the desktop file for convenience
it is way ahead of Windows/Apple.
Sadly no. For example, the most secure Windows system is well ahead of secureblue and the Linux desktop generally.
It is my responsibility to learn the OS and not the Developers responsibility to dumb it down
Making sure that hardening can be conveniently toggled off is very much in scope. We have long-term plans to make a GUI for all the toggles, which should improve convenience/reduce friction/improve user education. But this is fairly long term.
My issue is just that I really want to learn more about it, learn how to do certain things, how to make them work on Secureblue, and that is unfortunately not possible for beginners.
I strongly encourage you to ask away on the Discord
4 Likes
@RoyalOughtness thank you so much for your reply.
Regarding support: like I had mentioned, I am not on Discord and do not plan to be 
So I’d greatly appreciate if you were moving to a different support platform!
One more thing regarding Tor and other browsers on Secureblue: I understand you say that using them will weaken security. Do you mean that security will be even weaker than using these browsers on a regular Fedora installment (or Windows), or do you mean that security will “just” be weakened compared to only using Trivalent? So basically I am asking the security rankings of the following options:
- Secureblue with only Trivalent and only apps ftom verified Flatpak
- Secureblue with other browsers and apps, layered or as VM
- Regular Fedora with only packages from Fedora repository
- default Windows with Bitdefender and apps downloaded from the app developers sites
Thank you very much for your help!
I believe you have these correct from most secure to least secure. Trying to fit Windows into this list is comparing apples to oranges and you’d probably have to specify which exact element of “security” you’re interested in comparing.
Why is installing the .tar and running the tor browser with standard malloc not recommended? Firefox says something about user namespaces being unrestricted in the tar, but as long as they are disabled in secureblue that shouldn’t be an issue I guess. Is VM just a matter of extra isolation? Or are there any other considerations to be had?