I am using all network facing apps inside firejail but I wonder why did the Arch Linux team decided not to implement Apparmor or SElinux ?
Yes, but the thing is under Ubuntu which uses Apparmor users get profiles by default. I had tried to learn how to create Apparmor profiles & it was very difficult. Same case with SElinux. Fedora ships with a default SElinux config. Both Apparmor & SElinux are not easy to implement. firejail is a different story. firejail comes with a huge number of profiles which are hardened by default & user intervention is required only if an advanced user is not happy with the defaults.
Well, Arch doesn’t even ship with a Desktop Environment, so why should it with something as specific as this?
Most Arch users prefer to install their own programs and instead of having their systems bloated with programs they do not use.
3 Likes
Correct me if I am wrong but both Apparmor & SElinux are considered part of the base install. As far as I know the Ubuntu server ISO which too is headless includes Apparmor.
Personally, I think Frogatto and Friends (a version that actually works) should be considered a part of the base install. And my argument for it is just as good as yours 
In any case, it’s easier to get AppArmor working on Arch than Frogatto and Friends.
2 Likes
Arch considers almost nothing part of the “base install”.
This is what is in an Arch base install
filesystem gcc-libs glibc bash coreutils file findutils gawk grep procps-ng sed tar gettext pciutils psmisc shadow util-linux bzip2 gzip xz licenses pacman systemd systemd-sysvcompat iputils iproute2
Basically just enough to boot the system.(After you add a kernel)
6 Likes
I understand. The only thing is if Arch had included Apparmor or SElinux EndeavourOS users would have enjoyed an added layer of security.
And if it included Frogatto and Friends, users would enjoy a fun, family-friendly game with a charismatic amphibian protagonist. 
4 Likes
Make pr directly to Kernel, nobody would notice more bloat anyway
3 Likes
It isn’t that hard to install and setup apparmor yourself if you want it. There are prebuilt profiles in AUR.
SELinux is much more complicated to properly configure from scratch. It is probably better to use it on distros which ship with a full set of prebuild config such as RedHat/Fedora & friends.
4 Likes
Because Arch is user-centric - not distro-centric.
The huge difference is that user-centric leaves all decisions - design, usage and otherwise to the user - while the distro centric approach stuffs the user like a goose no matter they like it or not.
6 Likes
SELinux can be incredibly painful to try and setup. Its the main feature I love about Fedora is the hefty SELinux work put in by Redhat.
Apparmor like @dalto said is much easier if you want to install it on Arch thats what i would do. If you want SELinux id go with a distro that footed the legwork for you unless you want to learn how.
I discovered SuperTuxcart today. That’s a high quality game I think should also be included in the base install.
2 Likes
Well, it could use more amphibians, but other than that glaring flaw, it is indeed an excellent game!
1 Like
Why can’t Endeavour users still enjoy that level of security?
Arch includes nothing … they make packages available, add a wiki entry, and you install & configure it yourself.
SELinux is not “officially” supported by Arch, the userspace tools and profiles are in the AUR, but their kernels make it available … so it is technically possible if you are willing to do the work.
The whole point of EndeavourOS is a simple, minimal, vanilla Arch install for users to then customize to their liking.
An EndOS install is the not an OOTB end point, it is an ubloated starting point, a first step in creating your system.
The more minimal the starting point the better IMHO.
8 Likes