Oh, I tried importing wireguard config which secureblue recommends. I’ll try that method.
So I would type ujust–mullvad install-vpn ?
How does a person’s experience change their threat model?
ujust --choose then choose install-vpn in the menu.
1 Like
Unfortunately, this might be a case of secureblue doing exactly what it’s designed to do. Some hardened OSes intentionally make apps like Tor Browser difficult to run unless you relax certain security assumptions.
I think the developer just hate Gecko-based browsers he could easily make a ujust --choose menu for other browsers.
I wouldn’t say he hates Gecko-based browsers, but he definitely does not put in effort to make other browsers work without the need to sacrifice overall system security, since Trivalent is considered the browser on Secureblue. You still need to disable some of the unprivileged user namespaces restrictions for other browsers to work, not just Geck-based ones. For other Chromium-based browser it would just need a simple fix to get them to work on Secureblue, while still keeping user namespace restriction for unconfined_t active.
Most Chromium-based browsers share the vast majority of Selinux rules to get them to work. There is already a policy for Trivalent which could be adjusted for other Chromium browsers or the Chromium rules refactored and split out into a separate module. In the most basic form it only needs additional file context rules, and maybe some small adjustments for some special use cases like a browser shipping a VPN. Or you split out general Chromium rules and have small per-browser policies sharing these rules, for example via attributes.
For Firefox-based browsers it would mean quite more work, since you would need a base policy for Firefox first, but for some commonly used Chromium-based browsers it wouldn’t be a big deal to make them work by default on Secureblue.
I can understand that a project with only a few core contributors needs to be very careful with their resources and time, but in this case it might be worth putting some time into it, since this is probably a common issue for users.
1 Like
So when installing tor or any other browser like Brave by layering the way you described, would that be “worse” in terms of security than using these browser on Windows?
Regarding Wireguard: my problems I am encountering don’t even seem to be Seureblue related as the VPN does not work with other distros either, I tried regular Fedora, Ubuntu and Mint. But the config-file is correct since it works without problems in Windows (with the Wireguard app).
I agree that this is likely their posture - but to be fair , I think they have ‘moved’ away from being too strict as the project has progressed. I have recently installed Secureblue and can honestly say it was a ‘Graphene OS’ like moment . I am naturally interested in privacy but am non-technical and less ‘interested’ in security - so I want OS’s that are as secure as possible while still allowing PG approved privacy apps to run effectively.
I read all the Secureblue FAQs and their Deepwiki and checked on Flathub that key privacy apps existed so I knew what to expect.
I was pleasantly surprised that I could set up Mullvad VPN so easily
I initially set up the FF/MB/TB trio via Flatpak ( only really having to disable hardened malloc in Flatseal )
I ditched FF when I found that Trivalent worked without problem for my set of logins …
I uninstalled MB and TB Flatpaks after reading about the MB app being non-approved and SHA123 describing layering .
TB and MB are both now layered via rpm-ostree ( MB helped by the fact that the Mullvad repo was already installed for Mullavd VPN ) , so this was literally rpm-ostree install mullvad-browser.
The only ( fairly significant disadvantage) is that the harden-malloc needs turned off via ujust every time i use MB/TB ( vs the Flatpaks where it is turned off permanently )
I my view , I have moved to a much more secure system while not having to give up any of my ( strongly held ) privacy principles and I have Mullvad VPN , Mullvad Browser and Tor Browser all working fairly easily .
Secureblue is completely free , SHA123 has pointed out it is a small group of dedicated people running it and , in my view, it is way ahead of Windows/Apple.
If I have a bit of inconvenience to remind me to undertake ‘mindful browsing’ it’s a price I am prepared to pay.
Have a good day everybody
That is what I did and mullvad app comes up blank.
It worked fine on my last install a couple of weeks ago.
I installed Mullvad yesterday, but I was not getting internet. However, I installed ProtonVPN instead and it worked?
Try run0 systemctl enable --now mullvad-daemon and reboot.
Maybe you need to enable XWayland?
(post deleted by author)
I did that. I’ll probably try it again at some point.