I am new to CL coming from Fedora Silverblue.
I am doing a comparison of the two in terms of security.
The only real two differences I can spot is that
- Fedora has enabled SElinux by default
- Fedora’s rootfs is mounted read-only by default
Thoughit seems to me that SElinux makes not that much sense with stateless systems,
the thing is that still /usr is writable and the first place if I were to write some malware would be /usr/share/defaults that loads something else, having read only rootfs would prevent this, although to have enough permissions to write into /usr would mean that you could just as well remount /usr as read write anyways, what does CL team thinks on further securing the system, is there such need? Would volatiling the system help?