Have just "finished" preparing my Fedora 44 KDE Plasma machine. It's not that I like KDE; my red team sorta made me rebuild the OS because they were incrementally hacking it. And I lacked detailed steps to re-create Fedora 44 Gnome's SELinux configuration. Since the forum is saying KDE is sleek, much improved, and so forth; I decided to take a look. This time I documented the configuration steps 
Out of the box, Fedora makes user accounts with the unconfined profile. It has no restrictions. Just like Windows' first user account.
I confined the admin account to the staff_u profile, and confined my second daily use user account to the user_u profile. The staff_u can do admin things, and can sudo. But there should be some limitations that I haven't experienced yet. The user_u cannot do admin things.
These profiles are pre-made; comes with SELinux. However, some things aren't fully working. ChatGPT says these profiles are fully supported on Red Hat Linux. But on Fedora it has some rough edges.
To see what label you are, type id -Z
To see what labels are in a directory type ls -laZ
Then I made sudo require Yubikey, and sign in also requires Yubikey. This is a important part that foils remote hacking. One needs to touch the Yubikey as 2FA to complete a sudo command. This is configured via modification to PAM files in /etc/pam.d/
Done hardening it similar to what I did for Ubuntu: Setup Idea - Ubuntu Hardening
Except I cannot use Firejail, because it thinks SELinux profiles are a kind of virtualization and it exits.
Instead of firejail, SELinux has a mozilla_t profile. So instead of firejail's very minimized containment environment, I now have SELinux rules that whitelists allowed tasks.
Also, one has to make staff_u and user_u transition Firefox into mozilla_t. (That's the rough edges I was talking about) This mozilla_t is a pre-made profile. But is lacking a rule to make it work under user_u and staff_u. Ask your AI on how to do that. It needs a small rule file which you then apply.
There is also a SELinux boolean (global selinux var) that can be turned off with 'setsebool -P unconfined_mozilla_plugin_transition off' ChatGPT explains that it is only needed for old browser plugins like Flash and allows much expanded rights for plugins.
Looking for Max Feedback
Out of the box, Fedora makes user accounts with the unconfined profile. It has no restrictions. Just like Windows' first user account.
I confined the admin account to the staff_u profile, and confined my second daily use user account to the user_u profile. The staff_u can do admin things, and can sudo. But there should be some limitations that I haven't experienced yet. The user_u cannot do admin things.
The semanage command changes the profile, and the restorecon command relabels the directories and files. Simplistically speaking, SELinux labels everything and enforce whitelist rules that says what can interact with what.
These profiles are pre-made; comes with SELinux. However, some things aren't fully working. ChatGPT says these profiles are fully supported on Red Hat Linux. But on Fedora it has some rough edges.
To see what label you are, type id -Z
To see what labels are in a directory type ls -laZ
Then I made sudo require Yubikey, and sign in also requires Yubikey. This is a important part that foils remote hacking. One needs to touch the Yubikey as 2FA to complete a sudo command. This is configured via modification to PAM files in /etc/pam.d/
Done hardening it similar to what I did for Ubuntu: Setup Idea - Ubuntu Hardening
Except I cannot use Firejail, because it thinks SELinux profiles are a kind of virtualization and it exits.
Instead of firejail, SELinux has a mozilla_t profile. So instead of firejail's very minimized containment environment, I now have SELinux rules that whitelists allowed tasks.
Also, one has to make staff_u and user_u transition Firefox into mozilla_t. (That's the rough edges I was talking about) This mozilla_t is a pre-made profile. But is lacking a rule to make it work under user_u and staff_u. Ask your AI on how to do that. It needs a small rule file which you then apply.
There is also a SELinux boolean (global selinux var) that can be turned off with 'setsebool -P unconfined_mozilla_plugin_transition off' ChatGPT explains that it is only needed for old browser plugins like Flash and allows much expanded rights for plugins.
Looking for Max Feedback
Last edited:
