Fedora Atomic is not secure. In fact if you would somehow install malicious RPMs, or a program would do so, only on Atomic they can do so without a password.
This is crazy and you can change the polkit file manually, I have no idea when this will be implemented.
https://gitlab.com/fedora/ostree/sig/-/issues/7
Apart from that, SELinux does not affect the user programs, Desktop and home filesystem. You and any program can execute any script it wants, place an autostart file in your home directory etc.
As long as the home directory allows arbitrary scripts, it is very vulnerable to exploits.
Also, your ~/.bashrc
(or the other Shell configs) is writable, so any program can alias what sudo
does and thus catch your password.
Or your ~/.local/bin
, ~/.local/share/applications/
etc. all being writable, this also means any program can pretend to be Firefox for example but catch your passwords (tbh by default any program can read your Firefox passwords, use a masterpassword people)
This me
Same with your ~/.ssh
and ~/.gnupg
keys being readable.
I second on Secureblue, it works well. Firefox is removed, even though its insecurity is debateable. You can use the Flatpak or build it yourself:
https://github.com/trytomakeyouprivate/Firefox-hardened
Keep an eye on that repo, I will update it when I found out how to build release versions lol.
Also note that you will want to use userns
images of Secureblue to have Podman/Docker working.