Maybe this project will expand in the future to other popular distributions, including Arch.
Very unlikely. Not only is Arch behind Fedora as a base on which to build a hardened image, it lacks the breadth and depth of tooling and surrounding ecosystem for image building (ublue, blue-build, rpm-ostree, etc)
How should secureblue users install Firefox, Mullvad Browser, Brave Browser, Tor Browser, etc., should users follow the steps here ?
It’s not recommended that you use Firefox based browsers (for security reasons), but if you need them for some reason then yes the link you sent is correct (except for chromium based browsers like brave, which should never be installed via flatpak since flatpak interferes with the much more robust internal chromium sandboxing: Flatpak support | Vivaldi Forum)
Not sure whether this is really a net-positive on desktop. Selinux is only used for a small amount of processes on Fedora, many of which are more relevant to server usage.
It’s a significant net positive, and it’s not a “small amount of processes”. The stock policy confines all system processes. Userspace confinement is being worked on:
It is much easier to write and maintain Apparmor profiles and it’s possible to use projects like apparmor.d with a lot more profiles on Arch.
I would question the “quantity of profiles” as a viable metric. Apparmoring everything is a huge endeavour, so much so that kicksecure has a dedicated project for it (GitHub - Kicksecure/apparmor-profile-everything: deprecated - maybe replaced by: apparmor.d). I very much doubt very many if any people are apparmoring their arch systems to a point that even compares to a stock fedora install.
Also, SELinux supports CIL policies now, so they’re much easier to write.
Arch also has a few advantages, like not relying on backports, being closer to upstream versions, offering a hardened kernel and having better package availability.
None of these are really advantages. “being closer to upstream” isn’t always advantageous security wise. Have a look at xz for a recent example . Arch’s hardened kernel is just a brand name for a specific kernel configuration. The Fedora kernel used in secureblue is hardened as well. Better package availability is also questionable aside from not being a security advantage, especially given the existence of distrobox and brew.
Ironically Arch was barely affected by the xz backdoor scare precisely because they are closest to upstream, among other reasons. Arch had no funny “extra” sshd patches found in the other major distros (cough cough) that the backdoor relied on.
Yes, I saw that post. Also in this thread it was discussed whether the flatpak package should be avoided for Firefox, like Chromium based browsers.
Anyway, I understand that installing Brave Browser by distrobox, homebrew or layering does not limit or reduce any of its functionality. I remember having trouble adding Brave’s official repository to Silverblue.
You will lose all namespace and chroot parts of FF’s sandbox, by using the Flatpak version.
This won’t happen anytime soon. I used Selinux Users on desktop and it was a major pain and only possible to use if you extend it with your own policies. I reported several Selinux issues and they are still open after a long time. Fedora’s Selinux refpolicy maintainers seem to be struggling to find the time to even keep up fixing bugs. So I don’t see Selinux Confined Users succeeding anytime soon, especially not for the average user.
Which has been replaced by apparmor.d . It’s an amazing project with a great maintainer. Surprisingly many users seem to be using it, reporting issues and even on the weekends the maintainer often fixed issues within a day or so. Can recommend using and contributing to it, for people who can report and deal with Apparmor issues.
Would recommend to try it in a VM. Barely anything runs unconfined.
What do you mean by now? CIL has been used for quite some time. That’s the first time I hear someone say that CIL is easier to write. Usually it’s quite the opposite and most users will only use CIL directly in some edge cases. I mean there is a reason why it’s called Common Intermediate Language:
I see that the project’s discussion topic has the tag confined-users. I was wondering if the phrase “Selinux Confined Users” you refer to includes this project or not.
This won’t happen anytime soon. I used Selinux Users on desktop and it was a major pain
Yep, it’s probably years away.
Can recommend using and contributing to it, for people who can report and deal with Apparmor issues.
I’ll check it out
Would recommend to try it in a VM. Barely anything runs unconfined.
you mean kicksecure or arch?
What do you mean by now? CIL has been used for quite some time.
now as in in the last few years, to my knowledge. I didn’t realize they were lower level, I found them more intuitive. But then again I find most things about selinux more intuitive than apparmor. Maybe I’m just weird
I thought that you and the rest of the team assigned badges to maintainers whenever you saw one on the forum, possibly to warn about possible conflicts of interest.
Thank you for the correction, will change my post accordingly.
As a casual PC user, I took a look at apparmor.d project. First, the project owner is really maintaining the project with great dedication. But almost all of the profiles in the project are installed on complain mode by default, so I thought it would be a matter of trial and error for users to determine which of the hundreds of profiles would be stable on enforce mode. Users will have to take care of reporting their findings back to the project owner, if they are not too lazy. Moreover, the onus seems to be on users to guess which system applications, DEs applications and services that will be started in the future correspond to which of the hundreds of profiles, and whether it would be wiser to set those profiles to enforce mode or leave them in complain mode. I think that casual users have neither the knowledge nor the experience to guess these things. It is also expected that apparmor.d will be builded and packaged from source by the users themselves. The profiles in the source repository are always updated, AUR package may be updated by itself, but other packages may need to be updated by users. To install profiles under enforce mode, the package needs to be build according to this criterion. It would be easier for casual users if there were three prebuilt packages for default, enforce and full system modes. Finally, even with the package installed on enforce mode, hundreds of profiles are loaded on complain mode because they are unstable, and the AppArmor version on Arch Linux has been outdated for months.
In short, as long as the process of installing apparmor.d and updating profiles is not made easier for casual users, I think the concept of secureblue will continue to be more user-friendly. IMHO, it could be clarified how other internet browsers (Brave, Firefox, Tor Browser, etc.) should be installed and whether bubblejail should be used for those browsers.
So I took a proper look at secureblue and daily drove it for 2 days and I gotta say that this project is awesome! I’m definently voting for secureblue to be included in recommendations.
. Arch’s hardened kernel is just a brand name for a specific kernel configuration. The Fedora kernel used in secureblue is hardened as well. Better package availability is also questionable aside from not being a security advantage, especially given the existence of distrobox and brew.