r2288"#p28813
Well to be honest when I said the above I wasn't thinking of Fedora! I was thinking of the majority of other "popular" distros which have SE-linux and app armor disabled by default (Mint, pop OS, Manjaro, Zorin, etc).
There are only really two "popular" types of distributions:
- Ubuntu-based (excluding Debian, but that's more of a server release)
- RPM-based (Fedora, RHEL, OpenSUSE, technically Qubes I guess)
Manjaro is an Arch-based distribution. I really wouldn't recommend using an Arch-based distribution like Manjaro or Garuda; only use mainline Arch Linux. EndeavourOS might be okay, but I don't see much reason to use it given Arch has an install script now. Manjaro in particular does not have a great security track record, but Garuda does some wacky stuff like build binaries for every PKGBUILD in the AUR and offers users an easy way to install those binaries with a graphical installer. Just use Arch if you want to use Arch.
OpenSUSE does enable SELinux by default, but does not include any policies.
Ubuntu has enabled AppArmor by default since 2007 and ships with more profiles in every release, according to the infamously outdated Ubuntu Wiki:
AppArmor support was first introduced in Ubuntu 7.04, and is turned on by default in Ubuntu 7.10 and later. AppArmor confinement in Ubuntu is application specific with profiles available for specific binaries. With each release, more and more profiles are shipped by default, with more planned.
Linux Mint is the only really popular Ubuntu-based distribution, and it also apparently enables AppArmor by default.
Whether profiles are included or not, I don't know.
Oh, and I think Manjaro implements AppArmor, but I still wouldn't recommend Manjaro...
Also I don't know if you are asking this question sarcastically (to prove me wrong) or if you are really curiously asking, hah.
I'm an Arch user, and I have no idea about Fedora or SELinux. I've been considering switching to Fedora because it allows you to easily enable FDE, sets up SELinux, and generally does a bunch of security stuff that is annoying to do on another distribution out of the box. It's a rolling release like Arch which ships most packages without changes and doesn't have quite so many updates, so you're still getting regular patches. It doesn't have as many official packages, though. I'm not sold on Flatpaks yet but I'm sure they'll continue to improve. So long as NVIDIA implements a real free software driver and the last H.264 patent finally expires in 2028, the small usability issues will also be gone. Well, assuming AAC patents are gone by then, too...
So I think Fedora is a great experience for novice and advanced users alike with very sane defaults. I've tried it out on an old computer and it seems fine, but I found out it ships an older version of cURL which wasn't new enough to build my RSS feed reader. I dread to imagine what version of cURL is shipped with Ubuntu.
You might know more on the subject than me, which I'd be very happy to hear what you might have to say. I'm a new comer to linux and my attempts at improving linux security and educating myself on it have been heavily stonewalled either by a lack of good source of information (too many pages with no good answers) or heavily technical documents and having to do everything in command line (ridiculous IMO), which are beyond reasonable expectation for the average person to delve into. FYI, I know some programming and scripting (programming student), and generally am computer savy. Yet even for me its like... forget it. I can't be bothered to read a multi-day long book just to be able to use SE-linux or app-armor in command line.
This generally reflects my experience, although I will say I prefer doing most things in the terminal, and I do some system administration work on the side. I mostly couldn't be bothered with it and didn't bother implementing AppArmor or SELinux on my Arch installs. I also didn't bother with FDE for similar reasons. I would like to one day read a multi-day long book on the subject of SELinux...sometime, far into the future, on a lazy weekend.
AppArmor seems easy enough to get your head around to start with, from the little I did with it.
What's SE-linux on fedora like? I dont know! And that's the problem. There is like no easy to find explanation that one can read to learn about the exact implications of its presence. What does it do? How does it help? How good is it out of the box? Does it need anything else to be done? What? all.. beats me. With something like Android, its clear; Long winded, but clear. And its easy to find and read on. Implemented perfectly out of the box with nothing else to do. Just learn to use.
I believe the Fedora implementation is meant to be similar to Android, in that it's meant to be perfect out of the box with nothing else to do. I'm afraid I can't help you there, since I still don't use Fedora as a daily driver. Maybe next year.
About their difference I can only quote one line that I heard while watching this youtube video called "SE Linux for mere mortals" (which by the way I gave up on half way through)
Oh, hey, that's the same video I watched 5 minutes of a long time ago. Maybe one day. Probably right after I switch to Fedora...
A good post, thanks for this. But this is typical linux. The fact that one has to worry about such low level details and have to do it themselves is just the linux story.
These disadvantages are actually to do with the TRIM standard and SATA itself. I don't imagine other operating systems have it any easier. From the Wikipedia page:
Faulty drive firmware that misreports support for queued TRIM or has critical bugs in its implementation has been linked to serious data corruption and/or serious bugs like frequent freezes in several devices, most notably Micron and Crucial's M500[75] and Samsung's 840 and 850 series.[76] The data corruption has been confirmed on the Linux operating system (the only OS with queued trim support as of 1 July 2015).
If your drive uses SATA 3.1+, you shouldn't need to worry about any of this. I assume most drive manufacturers have figured out how to make non-dodgy firmware by now...
I have no idea how Windows handles this.
We know data recovery companies do recover data from SSDs, but can they do it on deleted sectors too? I'd like to know the answer to that.
Ditto.