The Linux Foundation published a guide recently[1] which has recommendations for desktop.
Take into consideration that unless you're running SELinux in full-enforcing mode (NOT targeted-enforcing, the default!), you still have a HUGE attack surface on your machine if you're using a web browser alone.
This presentation[2] also goes into some detail about an overall layered security approach and touches on workstation security.
If you really-really-really need security, you could consider something like QubesOS[3] to segregate your applications.
Take into consideration that unless you're running SELinux in full-enforcing mode (NOT targeted-enforcing, the default!), you still have a HUGE attack surface on your machine if you're using a web browser alone.
This presentation[2] also goes into some detail about an overall layered security approach and touches on workstation security.
If you really-really-really need security, you could consider something like QubesOS[3] to segregate your applications.
[1] https://github.com/lfit/itpol/blob/master/linux-workstation-...
[2] http://kernsec.org/files/lss2015/giant-bags-of-mostly-water....
[3] https://www.qubes-os.org