Fedora Security vs. Other Distros

Techlore recommends Fedora. What security benefits does Fedora offer over other Linux distros? I know it has SELinux, but Ubuntu has AppArmor. Is SELinux more effective than AppArmor? What other security benefits does Fedora provide over other distros? How is its security update cycle compared to the security update cycle of Ubuntu?

Like all Linux distributions, the level of privacy and security depends entirely upon the practices of the user. Fedora is often mentioned as a secure distro because it has some sensible security implementations out of the box. For example, it has a firewall by default and comes with SELinux enabled (here’s the Fedora wiki page and the Ubuntu wiki page on their respective security features). As for your other question, SELinux is more robust than AppArmor, but it also comes with a steeper learning-curve. Check out this article from Red Hat if you want to get into the specific differences (keep in mind that Red Hat uses SELinux, so there might be some bias at play). I suppose another reason that Fedora is often recommended over Ubuntu is that Red Hat, and in turn, the Fedora Project, are better liked than Canonical.

Although Fedora has a decent starting point, there’s still a lot that needs to be done in regards to hardening. The Fedora Wiki’s SecurityBasics page might be a good place to start. However, if you’re really wanting to go down the rabbit hole, OpenSCAP and Red Hat have extremely thorough guides.

https://static.open-scap.org/ssg-guides/ssg-fedora-guide-index.html

There is very little difference between the distros, and Fedora isn’t noticeably better than the rest.

SELinux has more options than AppArmor, but AppArmor is easier to use. I don’t think it matters which you use, and they are not going to do much against kernel exploits.

Fedora probably has the better release cycle when compared to Debian based distros, because Debian favors stability. There are pros and cons to both approaches, but I think it’s fair to say you can make the strongest argument for Fedora having the better release cycle.

You can use any distro and follow that communities hardening recommendations, and you are going to be perfectly fine.

If you really want the most security, then use Qubes OS. It’s not a lot more difficult to use than traditional Linux, and it solves a lot of the security issues Linux has.

No big differerce. Sure, it may come with a few tweaks here and there, but it’s not a security oriented distro.

As discussed in other topics:

I personally would never use it. That being said I think that Fedora is a fine distro that I would recommend to most of my non-techsavy friends.
Obviusly your threat model is important and etc, but if you’re looking for a secure oriented distro then Qubes is the way. Sure, you can grab something like Gentoo and harden it like a psyco, but it would never be the same.

SEL is way more powerfull than AA, don’t get me wrong, AA is still pretty good. SEL is also way more complex and takes some time.
Choose based on your free time, mental sanity & ofcourse: your threat model.

Sorry if I expressed my self poorly. I’m working on my English.

I think that’s a fair take on Fedora and Linux as a whole. However, I must ask which OS you use or would recommend? Yes, Qubes is probably the most private and secure option, but due to its system requirements, you can’t run it on as many machines as, say, Fedora.

Of course, you could always say that privacy and security aren’t cheap ventures and that you should invest in a better machine. However, I think there’s also something to be said about be able to take control of your devices and not give into the consumerism mindset. Of course, this might better said about the FOSS movment than privacy/security.

What exactly does SELinux and AppArmor do? How are they useful in security?

They are mandatory access control implementations, Android uses SELinux to set app permissions, it’s essentially used for the same thing on desktop Linux.

a set of patches to the Linux kernel and utilities to provide a strong, flexible, mandatory access control (MAC) architecture into the major subsystems of the kernel. It provides an enhanced mechanism to enforce the separation of information based on confidentiality and integrity requirements, which allows threats of tampering, and bypassing of application security mechanisms, to be addressed and enables the confinement of damage that can be caused by malicious or flawed applications. It includes a set of sample security policy configuration files designed to meet common, general-purpose security goals.

Source: NSA on SELinux

Further reading - Security-Enhanced Linux - Wikipedia

I am not sure about this but in Fedora SELinux policies isn’t very aggressive by default. Most processes runs unconfined. Same with Ubuntu with AppArmor. Of course it all depends on your threat-model and whether all those extra hardenings is required for you.

I use RHEL btw.

Ubuntu used to serve amazon ads in it’s search bar back in the unity days. It has it’s image tainted since then. It’s major problem nowadays is it’s persistence to stick with Snaps instead of Flatpaks.

Fedora has a 9-month life cycle (I think?) compared to Ubuntu’s 2 year life cycle. Fedora might be more viable for usage in Desktops whereas Ubuntu LTS might be better for servers.

I second that, and as for stability in server operations I have never faced an issue with using Fedora in my EC2 instances(Easy way to go bankrupt, I know. I am extra careful lol.) for my personal projects and I personally prefer Fedora over Debian.

Most packages wouldn’t work. No packages=best security.

And lastly while SELinux/AA are important for the security of your linux system, it alone can’t be trusted to do all the security stuff.

I know. . _.

Jokes aside; reducing the attack surface is always good. It also improves maintenance.

Fedora has new releases every 6 months (next one is in April 2023) and each release is supported for 13 months. Let’s say you started on Fedora 36 but wanted to skip Fedora 37. You would have support until 1 month after the release of Fedora 38 roughly.

Another difference between Fedora and Ubuntu is that each Fedora release is the main release, whereas technically the main releases for Ubuntu are the long-term support releases. This gives Canonical wiggle room in case the in-between updates are not as smooth as the main ones. This also arguably means that development efforts are spread more broadly in Ubuntu rather than Fedora because of how many releases they have to support in comparison. I could probably be convinced that this isn’t that big of a deal, though.

I think there is a bigger potential difference between distros, mainly along the lines of how those distros are maintained. Fedora and Ubuntu both have large companies who use these distros in some form or fashion in their enterprise products. It’s a big deal if there are glaring security issues in these projects. I don’t expect the same attention to detail or even available resources for a small distro like XeroLinux.

To your point, most of the mainstream distros that the average person will try will be Ubuntu based and maintained by large communities. My advice would be to stick to distros that are popular, well known, have been around for a while, and have more incentives in sticking around than just “community cares a lot.” That’s just my personal barometer for that kind of thing.

One more consideration that I can think of between Fedora and Ubuntu is how quickly new technologies are implemented, which would include security-minded changes. Wayland is maybe the biggest example of a new technology to replace the current popular display server X11. As many people on this forum will tell you, X11 has big security holes. Wayland is working to fix those. Which distro started getting those changes first? Fedora. You can see this in other areas as well such as the Fedora community’s focus on immutability and containerized workflows through Silverblue. Fedora does it first, usually at the cost of kinks to work out, and then other distros implement it after they do the hard work.

3 Likes

This may help
https://fedoraproject.org/wiki/Security_Features_Matrix

Yeah, what I meant in my post is that all linux distros are linux distros at the end. But I agree with you at the maintainence.

They are a bunch of a-holes who have repeatedly attacked free software and it’s core ideologies. X11 is used by plenty of people who understand Linux security ,people like Mental Outlaw,Luke Smith, Richard Stallman. It is secure and will be for for the next 100 years. It’s in active development by hard working developers so stop saying the wrong things about it.