Secureblue - Immutable Fedora Hardening

Not sure whether this is really a net-positive on desktop. Selinux is only used for a small amount of processes on Fedora, many of which are more relevant to server usage.

It’s a significant net positive, and it’s not a “small amount of processes”. The stock policy confines all system processes. Userspace confinement is being worked on:

Security enthusiasts wanted: from beginners up to SELinux experts to make up the SELinux “Confined Users (SIG)” to foster Fedora’s security capabilities - Fedora Discussion (fedoraproject.org)
SIGs/ConfinedUsers - Fedora Project Wiki

It is much easier to write and maintain Apparmor profiles and it’s possible to use projects like apparmor.d with a lot more profiles on Arch.

I would question the “quantity of profiles” as a viable metric. Apparmoring everything is a huge endeavour, so much so that kicksecure has a dedicated project for it (GitHub - Kicksecure/apparmor-profile-everything: deprecated - maybe replaced by: apparmor.d). I very much doubt very many if any people are apparmoring their arch systems to a point that even compares to a stock fedora install.

Also, SELinux supports CIL policies now, so they’re much easier to write.

1 Like