Fedora Linux

Fedora Atomic is not secure. In fact if you would somehow install malicious RPMs, or a program would do so, only on Atomic they can do so without a password.

This is crazy and you can change the polkit file manually, I have no idea when this will be implemented.

https://gitlab.com/fedora/ostree/sig/-/issues/7

Apart from that, SELinux does not affect the user programs, Desktop and home filesystem. You and any program can execute any script it wants, place an autostart file in your home directory etc.

As long as the home directory allows arbitrary scripts, it is very vulnerable to exploits.

Also, your ~/.bashrc (or the other Shell configs) is writable, so any program can alias what sudo does and thus catch your password.

Or your ~/.local/bin, ~/.local/share/applications/ etc. all being writable, this also means any program can pretend to be Firefox for example but catch your passwords (tbh by default any program can read your Firefox passwords, use a masterpassword people)

This me Same with your ~/.ssh and ~/.gnupg keys being readable.

I second on Secureblue, it works well. Firefox is removed, even though its insecurity is debateable. You can use the Flatpak or build it yourself:

https://github.com/trytomakeyouprivate/Firefox-hardened

Keep an eye on that repo, I will update it when I found out how to build release versions lol.

Also note that you will want to use userns images of Secureblue to have Podman/Docker working.