Secure Blue is it really Secure?

hTahaCi:

If your cpu is vulnerable to SMT then half your cpu cores will be gone because of smt disabled on vulnerable CPUs. It’s a security feature but you can remove this option if you threat model doesn’t need this much.

Where is the con?

hTahaCi:

SecureBlue doesnot comes with custom hardened kernel with hardened patch applied it only provides distro kernel

secureblues’s kernel does not have additional compile time hardening, since it is simply Fedora’s kernel and this could be improved, but secureblue does hardening of the kernel’s cmdline and sysctls.

hTahaCi:

That’s why confining user is very important it will protect your system even on compromise.

While confined users would be great, using confined Selinux users puts burden on the users and leads to breakage.

hTahaCi:

u don’t need to write selinux policies for generage desktop usage at all just confine your selinux user its gives you a secure environment for you personal desktop.

Not really. Most home users have all their important information within their main user account. Simply using user_u won’t help to protect that within the same user account. Using Selinux users does not simply work ootb for many use cases. Some things which come to mind, which don’t work ootb with user_u:user_r:user_t: Flatpaks, Appimages, document scanners and Tor Browser.