My Fedora Configuration from 18 May 2026
Current Fedora Configuration:
Installation date: 21 April 2026 (27 days ago).
Info from the settings app: Fedora Linux 44, Kernel 7.0.8, Wayland display system, Secure Boot functioning correctly.
Browser: Firefox 150.0.3 with uBlock Origin, prompting where to save files, and no telemetry. Firejail sandboxing implemented manually in this way:
[Desktop Entry]
Name=Firefox (Sandboxed)
Exec=firejail --private=/home/local83/sandbox/firefox --dns=1.1.1.1 --dns=9.9.9.9 --seccomp --caps.drop=all --nonewprivs --no3d --netfilter firefox -no-remote
Icon=firefox
Type=Application
Categories=Network;WebBrowser;
Sandboxing tools I know how to use, at least at a limited degree: Firejail, Bubblejail, Flatseal.
SELinux status: enforcing and targeted (confirmed by looking at /etc/selinux/config and running the command sestatus). Working as expected (ausearch found an alert from 12 May 2026 saying that systemd-rfkill was blocked from using dac_read_search, dac_override, and the syscall openat).
Third-party game I downloaded:
bubblejail create --no-desktop-entry --profile generic TheNatureOfMagic
nano ~/.local/share/bubblejail/instances/TheNatureOfMagic/services.toml
[common]
[wayland]
[pulse_audio]
[direct_rendering]
[home_share]
home_paths = ["games/TheNatureOfMagic-PartThree-pc"]
bubblejail run TheNatureOfMagic home/local83/sandbox/games/TheNatureOfMagic-PartThree-pc/TheNatureOfMagic.sh
Verification for namespace: sudo nsenter --target 16086 --mount --pid ls -la /home
Kernel memory protections: active (confirmed through the command sestatus).
Sudo configuration hardened in this way:
Defaults env_reset
Defaults secure_path = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
Defaults use_pty
Defaults timestamp_timeout=0
Listening services: dhcpv6.
Disabled services: cups, samba-client, ssh, llmnr-client, llmnr-tcp, llmnr-udp.
Command for disabled services:
sudo systemctl disable --now cups
sudo firewall-cmd --remove-service=samba-client --permanent
sudo firewall-cmd --zone=public --set-target=DROP --permanent
sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="224.0.0.0/4" drop'
sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv6" source address="ff00::/8" drop'
sudo firewall-cmd --reload
Services that have been “unpowered” by removing usable ports through firewall-config: llmnr-client, llmnr-tcp, llmnr-udp.
Verification for listening services:
sudo firewall-cmd --list-all
sudo firewall-cmd --list-services
ss -tulpn
sudo dnf install nmap
nmap localhost
Assumptions: hardware, firmware, and kernel are not malicious; baseline security involving system integrity, lateral movement, control flow validation, memory protections, and privilege escalation is trusted but should be strengthened according to threat model.
New learned info: sandboxes can be created using Firetools Config, internet access can be blocked using Portmaster, Firejail has these flags: net=none, --memory-deny-write-execute, --private-bin, --protocol=unix,inet,inet6. None of these new learned info have been implemented yet.
Goals: learn browser hardening, learn attack surface reduction, learn SELinux, learn Firewall filtering, learn seccomp, cgroups, and namespaces, learn everything about Firejail, Bubblewrap, Flatpak, and Bubblejail. Progress ongoing for Firejail, Bubblejail, SELinux, seccomp, and namespaces.
Security constraint = reduction of achievable attacker state space. Depending on context, that reduction:
- prevents certain executions entirely;
- limits execution capabilities;
- reduces impact of compromised execution.
My mindset: former designer and tweaker of high-assurance-like security environments based on Windows, preference for least-privilege and default-deny above isolation of interaction, first-principles-driven, aware of the principles of Saltzer and Schroeder, somewhat aware of IPC pipelines, learner of Linux Assembly 64-bit, creative thinking, researcher of enforcement and execution boundaries. I believe that in-memory attacks are inevitable and can only be somewhat constrained. Control flow is mostly bypassable if the values can be overwritten or the stages of the program are jumped.