The kernel LSM is called SELinux, not the set of security policies.
Could you maybe give some application profile examples that worth applying/writing Apparmor policies to secure it?
You need to be able to debug profiles, if you run them in enforcement mode and there are problems. From my experience, at least on EndeavourOS, there definitely will be problems. It’s usually not difficult to do, but is a bit cumbersome and a constant effort.
I can’t speak for @SkewedZeppelin but I’d imagine “in its current state” is doing a lot of heavy lifting in this sentence here.
I personally believe they are the future of desktops, but we’ve been complaining about many missing features (incl. privacy and security related ones) for a long time, which are still needed to make the potential advantages realized.
FMPOV the advantage of distros like Silverblue is that it provides a better base system for these features to be eventually added to, a lot of the things I’d like to see come to Linux would be much more challenging to implement on traditional distros. Until the missing features are actually built though, the difference is probably insignificant for most people.
That being said, I personally still think Silverblue has a system stability advantage over traditional distros even today, and I know people who frequently rebase on different desktop environments, which would be much more annoying to do on traditional distros. Also, I think it is useful for people to start learning how they work sooner rather than later.
Wouldn’t the upcoming version of OpenSUSE Aeon offer more stability?
I find the argument that immutable distributions are more secure questionable, but I think the best thing they do is to make system upgrades less problematic.
What is the lynis score of Aeon/Kalpa/MicroOS? Tumbleweed has a score of more than 80 points. For some users this score doesn’t really matter, I don’t think it’s everything in terms of security, but it’s still something that can be measured.
Immutable distros should solve many practical & theoretical security problems chief among them malware gaining persistence through the core parts of your system and possibly even reproducible builds in the future (or verifiable builds at the very least).
This when combined with tools such Full Disk Encryption, Secureboot and hardware keys/TPM increase upon the security foundation.
I would personally look into these tools as a measure of the strength of a system’s security over lynis which will give you warnings for outdated security concerns based on ancient cves.
On that note, since Aeon has automatic updates that don’t need any user interaction, that alone places it way ahead of most general purpose distros in terms of security.