Security and Privacy

Mandatory Access Controls

Ultramarine uses SELinux, a software that implements Mandatory Access Controls. This prevents applications (and users) from accessing files they shouldn’t be able to.

Users are usually required to have root access to modify system files, and even then, SELinux may prevent you from doing so unless you have set the correct contexts for the files.

By default, SELinux is in “Enforcing” mode, which means that it will prevent you (and others) from modifying system files unless you have the correct permissions. This shouldn’t cause any issues. If you would like to disable SELinux you can run sudo setenforce 0. We don’t recommend this as it makes your system less secure.

Learn more about SELinux →

Learn more about Permissions →

Privilege Control

Ultramarine includes polkit, a tool used to manage privilege elevation. If you’ve ever gotten a graphical password prompt on your system, you’ve interacted with polkit.

Use the pkexec command instead of sudo to give polkit a try.

polkit also manages communication between privileged and non privileged applications.

Disk Encryption

Ultramarine offers the option to encrypt your entire disk at install time. This protects your data from physical attacks and theft.

Sandboxing

When you install an app as a Flatpak, it’s contained within a sandbox, meaning it can’t see what other apps are doing, and can’t see files it isn’t allowed to.

Restricted Memory Access

Ultramarine and Fedora restrict access to physical memory. This should prevent most memory injection attacks.

Next Up: Ultramarine Release Notes, Ultramarine 42 Upgrades →

← Back To: SSH