• ctr1@fl0w.cc
    link
    fedilink
    English
    arrow-up
    15
    ·
    1 year ago

    I would look into Gentoo’s Hardened + SELinux profile if you want good security in a standard system, but as others have mentioned QubesOS is probably the most secure option OOTB (but it is very limiting). SELinux is pretty difficult to use but it’s really effective, and there is good information about it on the Gentoo wiki. Not sure what exactly goes into their hardened profile but I know it implements at least some of the suggestions listed on that site (like hardened compilation flags). Also it’s probably more vulnerable to 0-day attacks than Qubes, since it uses up-to-date software. But it’s really flexible, and learning SELinux is useful

    • ruination@discuss.tchncs.de
      link
      fedilink
      English
      arrow-up
      2
      ·
      edit-2
      1 year ago

      You can even mix and match it H/SELinux with musl (and Clang, if you’re up for some masochism and performance boost), though it does require patching sometimes. From my experience, you can find patches from Alpine’s Aports and that should fix it ~90% of the time, but sometimes you’d need to write your own. Another tip in case you’re interested in trying musl on Gentoo is that there’s a compilation flag for large file support documented in Gentoo Wiki’s musl development page which fixes compilation failures caused by calls to functions with names ending in 64 (e.g. fseek64). This is yet another massive source of compilation failure in musl. Lastly, you should mask musl versions ≥ 1.2.4 if you want to have any semblance of a * good time with it.

      • ctr1@fl0w.cc
        link
        fedilink
        English
        arrow-up
        1
        ·
        edit-2
        1 year ago

        Oh good to know! Thanks for the tips. What do you like about musl over glibc?

        • ruination@discuss.tchncs.de
          link
          fedilink
          English
          arrow-up
          2
          ·
          1 year ago

          To be honest, I only use it for fun. Unless you enjoy tinkering like I do, or you have really low RAM, there’s no reason to use it over glibc. I’m aware that Madaidan also mentioned that it is more secure, but I’m not too knowledgeable on that so I can’t really comment.

          • ctr1@fl0w.cc
            link
            fedilink
            English
            arrow-up
            2
            ·
            1 year ago

            Ah gotcha, just asking because I’ve never used it before. Good to know that Gentoo supports hardening it

            • ruination@discuss.tchncs.de
              link
              fedilink
              English
              arrow-up
              2
              ·
              1 year ago

              Gentoo lets you do basically whatever you want. The whole idea of it is that you make all the decisions in your system, as opposed to how most distros impose their developers’ choices.

                • ruination@discuss.tchncs.de
                  link
                  fedilink
                  English
                  arrow-up
                  2
                  ·
                  1 year ago

                  Really fasttracked my Linux learning experience too. If you’re starting out Linux and are predisposed to masochism like I am, using Gentoo as your first distro really catalysed my understanding of Linux (at the cost of a week’s worth of crying and self-loathing lmao).

                  • ctr1@fl0w.cc
                    link
                    fedilink
                    English
                    arrow-up
                    2
                    ·
                    1 year ago

                    Totally, props on taking it on as your first distro! Haha, yeah a week of pain sounds about right. My last Gentoo setup took an entire month (off and on), but I was doing something crazy (Qubes-like, every application in its own Gentoo VM, strict SELinux on host and guests)… ended up ditching that because I got comfortable enough with SELinux to write stronger policies for everything important, which is good enough for me.

                    I had the benefit of using other distros before trying Gentoo, so my first attempt at it wasn’t so bad (but still took two full days). It’s definitely taught me way more than any other distro, including Arch (although Arch was a very good stepping stone). I don’t think I could go back to anything else at this point