Secureblue - Atomic Fedora Hardening

username0990 · September 13, 2024, 9:03am

Have you seen this project?

sha123 · September 13, 2024, 9:10am

I know of the existence of systemd-homed in general, but not this project discussion. What’s your point?

username0990 · September 13, 2024, 9:36am

I see that the project’s discussion topic has the tag confined-users. I was wondering if the phrase “Selinux Confined Users” you refer to includes this project or not.

sha123 · September 13, 2024, 2:10pm

They probably just tagged them, because it concerns the “Selinux Confined Users” proposal.

RoyalOughtness · September 18, 2024, 5:24pm

This won’t happen anytime soon. I used Selinux Users on desktop and it was a major pain

Yep, it’s probably years away.

Can recommend using and contributing to it, for people who can report and deal with Apparmor issues.

I’ll check it out

Would recommend to try it in a VM. Barely anything runs unconfined.

you mean kicksecure or arch?

What do you mean by now? CIL has been used for quite some time.

now as in in the last few years, to my knowledge. I didn’t realize they were lower level, I found them more intuitive. But then again I find most things about selinux more intuitive than apparmor. Maybe I’m just weird

8pen-s8urce · September 22, 2024, 11:50am

Off topic and wrong (read the following post by @ph00lt0 for clarification)

Then someone from the Privacy Guides @team should tag you as Secureblue’s maintainer.

ph00lt0 · September 22, 2024, 8:47pm

Off topic, but just to be clear, maintainers should themselves apply for that badge and get verified. They are not just assigned by us.

8pen-s8urce · September 22, 2024, 9:44pm

I thought that you and the rest of the team assigned badges to maintainers whenever you saw one on the forum, possibly to warn about possible conflicts of interest.

Thank you for the correction, will change my post accordingly.

sha123 · September 23, 2024, 10:08am

apparmor.d in general, for example on Arch.

username0990 · September 25, 2024, 3:50pm

As a casual PC user, I took a look at apparmor.d project. First, the project owner is really maintaining the project with great dedication. But almost all of the profiles in the project are installed on complain mode by default, so I thought it would be a matter of trial and error for users to determine which of the hundreds of profiles would be stable on enforce mode. Users will have to take care of reporting their findings back to the project owner, if they are not too lazy. Moreover, the onus seems to be on users to guess which system applications, DEs applications and services that will be started in the future correspond to which of the hundreds of profiles, and whether it would be wiser to set those profiles to enforce mode or leave them in complain mode. I think that casual users have neither the knowledge nor the experience to guess these things. It is also expected that apparmor.d will be builded and packaged from source by the users themselves. The profiles in the source repository are always updated, AUR package may be updated by itself, but other packages may need to be updated by users. To install profiles under enforce mode, the package needs to be build according to this criterion. It would be easier for casual users if there were three prebuilt packages for default, enforce and full system modes. Finally, even with the package installed on enforce mode, hundreds of profiles are loaded on complain mode because they are unstable, and the AppArmor version on Arch Linux has been outdated for months.

In short, as long as the process of installing apparmor.d and updating profiles is not made easier for casual users, I think the concept of secureblue will continue to be more user-friendly. IMHO, it could be clarified how other internet browsers (Brave, Firefox, Tor Browser, etc.) should be installed and whether bubblejail should be used for those browsers.

anon94009837 · September 27, 2024, 3:04pm

How does Secureblue compare to the Brace package when used on Fedora Silverblue??

Lukas · September 27, 2024, 3:15pm

Lukas · November 10, 2024, 5:29pm

So I took a proper look at secureblue and daily drove it for 2 days and I gotta say that this project is awesome! I’m definently voting for secureblue to be included in recommendations.

Encounter5729 · November 10, 2024, 11:40pm

Anyone know why this has been rejected?

lepras · November 11, 2024, 4:17am

the only problem is, the user has to use a cli to rebase the image and rpm-ostree has a learning curve, if you are only familiar with dnf etc.

you have to make your own iso atm.

jonah · March 17, 2025, 10:19pm

5 posts were split to a new topic: Should Linux beginners use atomic or classic distros?

Lukas · November 11, 2024, 7:50am

There is no good reason, and everything has been clarified by the creator.

Lukas · November 11, 2024, 7:51am

Copying 4 commands into the terminal is a learning curve? Okay.

No, not only rebasing is a proper way to do it, but it’s also easier.

RoyalOughtness · November 12, 2024, 2:30am

FYI, we’re likely to drop custom ISO support entirely in favor of an interactive script that assembles the rebase command based on the user’s selections. This way new users can all use the official Fedora ISO to install Fedora Atomic and then simply use our interactive selector to rebase.

jerm · November 12, 2024, 8:21am

It would be great if you offer both, documented it in the readme. ISOs are more user friendly and new comers are familiar with it.

Topic		Replies	Views
Kicksecure vs Secureblue? Questions	10	168	December 28, 2024
How do I download Secureblue? Questions	5	70	March 13, 2024
Hardened-chromium is now Trivalent! General software	14	2568	April 11, 2025
Thoughts on Universal Blue (Bluefin, Bazzite, Aurora) General	22	3974	February 5, 2025
Brave vs Trivalent Security Questions	22	1052	March 27, 2025

Secureblue - Atomic Fedora Hardening

Related topics