Linux

60406 readers

734 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
No misinformation
No NSFW content
No hate speech, bigotry, etc

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 6 years ago

MODERATORS

AgreeableLandscape@lemmy.ml

nooter692@lemmy.ml

MarcellusDrum@lemmy.ml

cypherpunks@lemmy.ml

cyclohexane@lemmy.ml

d3Xt3r@lemmy.nz

The Quest for Reasonably Secure Operating Systems (yazomietech.bearblog.dev)

submitted 2 weeks ago* (last edited 2 weeks ago) by yazomie@lemmings.world to c/linux@lemmy.ml

60 comments fedilink hide all child comments

TL;DR - About switching from Linux Mint to Qubes OS from among various other options that try to provide security out-of-the-box (also discussed: OpenBSD, SculptOS, Ghaf, GrapheneOS)

you are viewing a single comment's thread
view the rest of the comments

[–] iopq@lemmy.world 1 points 1 week ago (1 children)

Well, that's because it's a first party solution. From NixOS point of view SELinux is mutating the store which is forbidden

[–] aaravchen@lemmy.zip 1 points 4 days ago (1 children)

It's not. SELinux predates Fedora. Fedora went all-in on SELinux pretty early on though (a few other older distros too, but Fedora is one of the few remaining with significant mind-share), and many other distros decided not to do security at all for many years.

AppArmor is "sufficient" if you only want to deal with known-in-advance high risk applications being locked down, which was the approach most other distros took since it's extremely complex to have a policy for absolutely everything (like SELinix requires).

In the latest distros using AppArmor, it's been expanding so much that it is arguably easier to just implement SELinux and derive from Fedora's Standard Policy. Ubuntu 24.04 for example was been broken by thier various AppArmor bugs for almost 1.5 years after release, all because they slapped system-wide AppArmor policy restrictions on the default system and didn't coordinate any of it.

SELinux also doesn't mutate the store unless the package in the store failed to set an SELinix file label. Providing the labels in most cases is trivial, so trivial in most cases that a global SELinux Nix policy package exists in a number of distros that can set normal defaults that work for most things.

[–] iopq@lemmy.world 1 points 4 days ago (1 children)

Setting the label is the mutation

[–] aaravchen@lemmy.zip 1 points 3 days ago (1 children)

And it's only necessary because Nix doesn't include it. Which is the only way anything is allowed to run on an SELinux system. SELinux doesn't require Nix mutation, it requires Nix to be complete.

There are workarounds to fix Nix's incomplete definitions, but most end users opt for the easy post-install solution that ends up mutating thier store rather than including the fix as a unique derivation for every package to add the missing SElinux labels and policy.

[–] iopq@lemmy.world 1 points 2 days ago

Which is what I was talking about when I said immutable systems need a first party solution. Meaning the system itself needs to implement it, you can't bolt it on with packages or services