© Richard Petersen 2018

Richard PetersenBeginning Fedora Desktophttps://doi.org/10.1007/978-1-4842-3882-0_12

12. Fedora System Tools

Richard Petersen¹ 

(1)

Alameda, California, USA

 

Fedora provides several helpful system tools for monitoring, disk management, logs, and security (see Table 12-1).

Table 12-1

Fedora System Tools

Package Name	Application	Description
system-config-selinux	SELinux Management	Manages and configures SELinux policy
gnome-system-monitor	System Monitor	GNOME System Monitor
gnome-system-log	System Log	GNOME system log viewer
gnome-terminal	Terminal	GNOME terminal window
baobab	Disk Usage Analyzer	Baobab Disk Usage Analyzer
gnome-disk-utility	Palimpsest Disk Utility	Palimpsest DeviceKit disk manager
sealert	SELinux Troubleshooter	setroubleshoot, SELinux alert browser
gnome-power-statistics	Power Statistics	Power usage

Performance Analysis Tools and Processes

Linux treats each task performed on your system as a process, which is assigned a number and a name. You can examine these processes as well as start and stop them. Fedora provides several tools for examining processes as well as your system performance (see Table 12-2). Easy monitoring is provided by the GNOME System Monitor . Other tools are also available, such as the KDE System Monitor. Several utilities were designed to be used on a shell command line, displaying output in text lines.

Table 12-2

Performance Tools

Performance Tool	Description
vmstat	Performance of system components
top	Listing of most CPU-intensive processes
free	Listing of free RAM memory
sar	System activity information
iostat	Disk usage
GNOME System Monitor	System monitor for processes and usage monitoring (System ➤ Administration ➤ System Monitor)
KDE System Monitor	KDE system monitor for processes and usage monitoring
Frysk	Monitoring tool for system processes

GNOME System Monitor

The GNOME System Monitor displays system information and monitors system processes (Utilities ➤ System Monitor). It has three tabs: Processes, Resources, and File Systems (see Figure 12-1). The Resources tab displays graphs for CPU History, Memory and Swap History, and Network History. If your system has a multi-core CPU, the CPU History graph shows the usage for each CPU. The Memory and Swap Memory graph shows the amount of memory in use. The Network History graph displays the amount of sent and received data, along with totals for the current session.

Figure 12-1

GNOME System Monitor

Note

System information, such as the Fedora release, hardware information, and system status, is available on the System Settings ➤ Details ➤ About tab.

The File Systems tab lists your file systems , including where they are mounted, their type, and the amount of disk space used and how much is free. You can sort the list by any category. Device, directory, and type names are listed alphabetically. Total, free, available, and used space can be sorted numerically in ascending or descending order. Double-clicking on a file system entry will open that file system in a file manager window.

The Processes tab lists your processes, letting you sort and search processes. You can use field buttons to sort by name (Process Name), process ID (ID), percentage of use (%CPU), and memory used (Memory), among others. The menu (right side of the menu bar) lets you select all processes, just your own (My Processes), or active processes. You can stop any process by selecting it and then clicking the End Process button (lower-right corner) or by right-clicking on it and choosing End. You can right-click a process entry to display a menu with actions you can take on the selected process, such as stopping (Stop), ending (End), killing (Kill), and continuing a process (Continue), as well as changing the priority of the process (Change Priority). The Open Files entry opens a dialog listing all the files, sockets, and pipes the process is using. The Properties entry displays a dialog showing all the details of a process, such as the name, user, status, memory use, CPU use, and priority. Memory Maps display, selected from the Memory Maps entry, shows information on virtual memory, inodes, and flags for a selected process .

Display features such as the colors used for CPU graphs can be set using the dconf editor's gnome-system-monitor keys at org ➤ gnome ➤ gnome-system-monitor.

Managing Processes

Should you have to force a process or application to quit, you can use the GNOME System Monitor Processes tab to find, select, and stop it. You should be sure of the process you want to stop. Ending a critical process could cripple your system.

Application processes will bear the name of the application, and you can use those to force an application to quit. Ending processes manually is usually preformed for open-ended operations that you are unable to stop normally. In Figure 12-2, the Firefox application has been selected. Clicking the End Process button on the lower left will force the Firefox web browser to end (you can also right-click the entry and select End from the menu). Clicking on the button at the lower left displays the properties for a selected process (see Figure 12-2). The menu button on the upper right shows display options such as active, all, your processes, and processes arranged in expandable trees showing their dependencies. The search button, also on the upper right, opens a search box letting you search for a process.

Figure 12-2

GNOME System Monitor, Processes tab

You can also use the pkill command with a process name or a process ID to end a process. To use a process name , enter the process name with the -n option for the most recent process for that name.

pkill -n firefox

You can also use the kill command in a terminal window to end a process. The kill command takes as its argument a process ID. Be sure you obtain the correct one. Entering the incorrect process ID could also cripple your system. Use the ps command to display a process ID. You can search for a process using the -C or -aux options. The ps command with the -C option searches for a particular application name. The -o pid= option displays only the process ID, instead of the process ID, time, application name, and tty. Once you have the process ID, you can use the kill command, with the process ID as its argument, to end the process.

$ ps -C firefox -o pid=

5555

$ kill 5555

One way to ensure the correct number is to use the ps command to return the process number directly as an argument to a kill command. The process is then stopped by first executing the ps command to obtain the process ID for the firefox process (back quotes), and then using that process ID in the kill command to end the process. The -o pid= option displays only the process ID.

kill `ps -C firefox -o pid=`

To search for a process using a pattern, you can use a ps command with the -aux option to list all processes and pipe the output to a grep command with a specified pattern. The following command lists all X Window System processes:

ps -aux | grep 'firefox'

You can obtain just the process IDs with the pidof command.

pidof  firefox

KDE System Monitor

The KDE System Monitor is accessible on the KDE desktop from System ➤ System Monitor and on the GNOME desktop from the Applications ➤ System Tools ➤ System Monitor. This tool allows you to monitor the performance of your own system as well as remote systems. KDE System Monitor can provide simple values or detailed tables for various parameters. A System Load tab provides graphical information about CPU and memory usage, and a Process Table tab lists current processes using a tree format to show dependencies. You can design your own monitoring tabs with worksheets, showing different types of values you want to display and the form you want to display them in, like a bar graph or digital meter . The Sensor Browser pane is an expandable tree of sensors for information like CPU System Load or Memory's Used Memory. There is a top entry for each host you are connected to, including your own, localhost. To design your own monitor, create a worksheet and drag and drop a sensor onto it.

Glances

Glances is a comprehensive system monitoring tool run from the command line in a terminal window with the glances command. It shows detailed resource use for the system, network, disk, file system, sensors, and processes (see Figure 12-3). It also warns you of any critical alerts. The system section covers detailed memory, CPU, swap and load usage. The network section shows the activity on each network device. The Disk I/O section lists your storage devices and their read/write usage. The File Sys section shows all your partitions and how much memory is used. The Sensors section shows the temperature detected by your sensors such as those for CPU, GPU, and the ambient temperature. The Tasks section lists your active processes by CPU usage, showing memory used, pid, user and the command. Press q to end your glances session.

Glances is organized into modules that you can disable to show only a limited set of reports. For example, if you are not interested in the disk I/O reports, you can disable the diskio module with the --disable-diskio option. See the glances man page for a compete list of module options you can use.

glances -- disable-diskio.

There are also several runtime commands you can use to show and hide modules, such as f to toggle the file system reports on and off, d to toggle disk I/O, n for network stats, s for showing sensors, and p to sort processes by name.

Figure 12-3

Glances System Monitor

vmstat, free, top, iostat, dstat, and Xload

From a terminal window, you can use tools such as vmstat, free, top, and iostat to monitor your system (systat package). The vmstat command outputs a detailed listing indicating the performance of different system components, including CPU, memory, I/O, and swap operations. A report is issued as a line with fields for the different components. If you provide a time period as an argument, it repeats at the specified interval, usually a few seconds. The top command provides a listing of the processes on your system that are the most CPU intensive, showing what processes are using most of your resources. The listing is in real time and updated every few seconds. Commands are provided for changing a process’s status, such as its priority.

The free command lists the amount of free RAM memory on your system, showing how much is used and how much is free, as well as what is used for buffers and swap memory. Xload is an X Window System tool showing the load, CPU, and memory, iostat displays your disk usage, and sar shows system activity information.

Frysk

Frysk is a specialized complex monitoring tool for system processes. With Frysk you can set up very specific monitoring tasks, focusing on particular applications and selecting from a set of observer processes to provide information about exit notification, system calls, and execution. You can also create your own customized observers for processes. Find out more about Frysk at http://sourceware.org/frysk .

Terminal Window Administrative Access: sudo and sudo su

The terminal window allows you to enter Linux commands on a command line (Utilities ➤ Terminal ). It also provides you with a shell interface for using shell commands instead of your desktop. The command line is editable, allowing you to use the Backspace key to erase characters on the line. Pressing a key will insert that character.

The terminal window is often used to run administrative tasks. First, log in as the root user, using the sudo command. You are prompted to enter your password. You can then run administrative-level commands, such as dnf to install packages or nano to configure system files.

Should you have several commands to run, you could log in at the root user directly using the sudo command in combination with the su command.

sudo su

The terminal prompt then changes to the root user and the current directory (see Figure 12-4). The cd command will move you to the root user directory. See Chapter 3 for details on using and configuring the terminal window.

Figure 12-4

Terminal window

Schedule Tasks

Scheduling regular maintenance tasks, such as backups, can be managed either by using the systemd timers or by the cron service. The systemd timers are systemd files that run service files. Check the man page for systemd.timers for a detailed description of timers. They have the extension .timer. A timer file will automatically run a corresponding service file that has the same name. For example, the dnf-automatic.timer will run the dnf-automatic.service file. The timer file only contains scheduling information. Its filename determines which service file to run. It is possible to designate a different service file with the Unit directive in the timer file. If you want to run a command-line operation for which there is no service file, you can create your own with an ExecStart entry for that command.

The timer files have a timer section in which you define when the service file is run. There are options that are relative to certain starting points like when system booted up, and the OnCalendar option that that reference calendar dates. The OnCalendar option uses calendar event expressions as defined on the systemd.time man page. A calendar even expression consists of a weekday, year, month, and time. The time is specified in hour, minute, and second, separated by colons. A range of weekdays is separated by two periods, and specific weekdays by commas. Leaving out the year or month selects any year or month. The following references weekdays in May at 2 pm.

OnCalendar=Mon..Fri 05 14:00

You can create timer files and place them in the /etc/systemd/system directory. If you also have to set up a service file for it, you can place it in the same directory. To activate a timer be sure to enable it with systemctl. If you created a service file, be sure to enable that also.

You can still use the older cron service to schedule tasks. The cron service is implemented by the cron daemon that constantly checks for certain actions to take. These tasks are listed in the crontab file. The cron daemon constantly checks the user’s crontab file to see if it is time to take these actions. Any user can set up a crontab file. The root user can set up a crontab file to take system administrative actions, such as backing up files at a certain time each week or month.

Creating cron entries can be a complicated task, using the crontab command to make changes to crontab files in the /etc/crontab directory. Instead, you can use several desktop cron-scheduler tools to easily set up cron actions. Two of the more useful tools are KCron and GNOME Schedule, the latter which creates an easy-to-use interface for creating scheduled commands.

On KDE you can use the KDE Task Scheduler (KCron) to set up user- and system-level scheduled tasks (install the kdeadmin package). You access the Task Scheduler on the System Settings window, System Settings ➤ Task Scheduler (System Administration section). The Task Scheduler window will list your scheduled tasks. Click the New Task button to open a New Task window in which you can enter the command to run, add comments, and then specify the time in months, days, hours, and minutes from simple arranged buttons. On the Task Scheduler window, you can select a task and use the side buttons to modify it, delete the task, run it now, or print a copy of it. For tasks using the same complex commands or arguments, you can create a variable and then use that variable in a command. Variables are listed in the Environment Variables section. To use a variable in a scheduled task, precede its name with the $ character when you enter the command. Entering just the $ symbol in the Command text box will display a drop-down list of predefined system variables you can use, such as $PATH and $USER.

System Logs, journals, and journald

Various system logs for tasks performed on your system are stored and managed by the journald logging daemon. In effect, logs are now considered to be journals accessible by a systemd daemon, journald. From the command line (terminal window), you can use the journalctl command to access messages. The -f option displays the last few messages and is equivalent to displaying the last few messages in the old /var/log/messages file. The following command lists the last few messages:

journalctl -f

To see logs from the last system startup (boot), you use the -b option.

journalctl -b

To see messages for a particular service, you use the -u option and the name of the unit’s service file, such as samba.service. The following lists the messages for the Samba server.

journalctl -u samba.service

With the --since and --until options, you can further specify a time.

journalctl -u samba.service --since=12:00

If you want, you can still install and run the older rsyslogd, which stores message in the /var/log/messages file.

GNOME Logs and System Log

To view these logs you can use GNOME Logs, Utilities ➤ Logs (GNOME Logs on GNOME Software or the gnome-logs package on Packages ). A sidebar lists different log categories: Important, All, Applications, System, Security, and Hardware. Selecting one displays the log in the right pane (see Figure 12-5). A search button on the top right opens a search box, in which you can search for messages in the selected log, modifying the search by field and time. A save button on the top right lets you save the logs to a file. Logs queries the journald daemon for log reports using journalctl.

Figure 12-5

GNOME logs

You can also use the GNOME Log File Viewer to view these logs (Utilities ➤ System Log). Install System Log on GNOME Software or the gnome-system-log package on Packages. A sidebar lists the different logs. Selecting one displays the log in the right pane (see Figure 12-6). A search button on the top right opens a search box, in which you can search for messages in the selected log. A menu button on the top right lets you perform tasks such as zooming, copying, selecting, and filtering. The System Log queries the journald daemon for log reports using journalctl.

The Wayland display server currently does not allow root access by default to graphical tools, such as gnome-system-log. Many of these older graphical administration tools were designed for the older Xorg server and have not been updated for the Wayland server. A workaround uses the xhost command to add an access control for the root user to the local user. In a terminal window, enter the following command to enable root access through the display server. You have to re-enter this command with each new login session.

xhost +si:localuser:root

Figure 12-6

System Log

Disk Usage Analyzer

The Disk Usage Analyzer lets you see how much disk space is used and available on all your mounted hard disk partitions. You can access it from Utilities ➤ Disk Usage Analyzer. It will also check all LVM and RAID arrays. Usage is shown in a simple graph, letting you see how much overall space is available and where it is. On the Scan dialog, you can choose to scan your home folder (Home Folder, your entire file system (disk drive icon), an attached device like a USB drive, or a specific or remote folder (see Figure 12-7).

Figure 12-7

Disk Usage Analyzer: Scan dialog

To scan a folder or device, click the folder or device entry. When you scan a folder or the file system, the disk usage for your folder is analyzed and displayed. Each file system is shown with a graph for its usage, as well as its size and the number of top-level folders and files. Then the folders are shown, along with their size and contents (see Figure 12-8).

Figure 12-8

Disk Usage Analyzer

A representational graph for disk usage is displayed on the right pane. The graph can be either a Ring Chart or a Treemap. The Ring Chart is the default. Choose the one you want from the buttons on the lower right. For the Ring Chart, directories are shown, starting with the top-level directories at the center and moving out to the subfolders. Passing your mouse over a section in the graph displays its folder name and disk usage, as well as all its subfolders. The Treemap chart shows a box representation, with greater disk usage in larger boxes, and subfolders encased within folder boxes.

Virus Protection

Though viruses are rare on Linux, especially on Fedora, which has advanced security features such as SELinux, they can still occur. As a precaution you can install the free and open source Clam Anti-Virus virus protection software ( www.clamav.net ). On Gnome Software choose ClamTK or, for KDE, KlamAV. Choose clamav, clamav-filesystem, clamav-lib, clamav-update, clamav-data, on either ClamTK (clamtk package, GNOME) or KlamAV (KDE) frontends. For ClamTK, install using the dnf command. Once installed, you can access it as ClamTK. With ClamTK, you can scan specific files and directories, as well as your home directory (see Figure 12-9). Searches can be recursive, including subdirectories. You have the option to also check dot configuration files. Infected files are quarantined. The ClamTK dialog has four sections: Configuration, History, Updates, and Analysis. Updates can be automatic or manual. Click the Help button on the upper right to open the ClamTK Virus Scanner documentation with details on scanning updates and settings.

Figure 12-9

The clamtk tool for ClamAV virus protection

You can also install the clamav-milter and clamav-scanner packages, which work with your email application, to detect viruses .

Disk Utility and Udisks

Disk Utility is a Udisks supported user configuration interface for your storage media, such as hard disks, USB drives, and DVD/CD drives (gnome-disk-utility package, installed by default). Tasks supported include disk labeling, mounting disks, disk checks, and encryption. You can also perform more advanced tasks, like managing RAID and LVM storage devices, as well as partitions. Disk Utility is accessible via Utilities ➤ Disk Utility. Users can use Disk Utility to format removable media like USB drives. Disk Utility is also integrated into GNOME Files, letting you format removable media directly.

Note

You can use GParted (GNOME Partition Editor) to create and remove your hard disk partitions, and to display information about them. GParted is available from the EPEL repository. Once it’s installed, you can access it as the GParted Partition Editor.

The Disk Utility window shows a sidebar with entries for your storage media (see Figure 12-10). Clicking on an entry displays information for the media on the right pane. Removable devices such as USB drives display power and eject buttons, along with a task menu with an entry to format the disk. If you are formatting a partition, like that on removable media, you can specify the file system type to use.

Figure 12-10

Disk Utility

If you select a hard disk device, information about the hard disk is displayed on the right pane at the top, such as the model name, serial number, size, partition table type, and SMART status (Assessment) (see Figure 12-11). Click the menu button to display a menu on the upper right with tasks you can perform on the hard drive: Format, Benchmark, and SMART Data.

Figure 12-11

Disk Utility, hard drive

The Volumes section on the hard disk pane shows the partitions set up on the selected hard drive (see Figure 12-12). Partitions are displayed in a graphical icon bar, which displays each partition's size and location on the drive.

Figure 12-12

Disk Utility, Volumes

Clicking on a partition entry on the graphical icon bar displays information about that partition such as the file system type, device name, partition label, and partition size. The Contents entry tells if a partition is mounted. If in use, it displays a Mounted At: entry with a link consisting of the path name where the file system is mounted. You can click on this path name to open a folder with which you can access the file system. The button bar below the Volumes images provides additional tasks you can perform, such as unmounting a file system (square button) and deleting a partition (minus button). From the More Tasks menu, you can choose entries to change the partition label, type, and mount options. Certain partitions, like extended and swap partitions, display limited information and have few allowable tasks.

For more detailed hardware information about a hard drive, you can click on the SMART Data and Tests entry from the task menu in the upper right. This opens a SMART data dialog with hardware information about the hard disk (see Figure 12-13) including temperature, power cycles, bad sectors, and the overall health of the disk. The Attributes section lists SMART details such as the Read Error Rate, Spinup time, temperature, and write error rate. Click the switch on to enable the tests, and off to disable testing. Click the Refresh button to manually run the tests. Click the Start Self-Test button to open a menu with options for short, extended, and conveyance tests.

Figure 12-13

Disk Utility: Hard Disk hardware SMART data

Hardware Sensors

A concern for many users is the temperature and usage of computer components. You install different software packages to enable certain sensors (see Table 12-3). For the CPU, system, fan speeds, and any other motherboard supported sensors, you use the lm_sensors service. Download and install the lm_sensors package. First, you must configure your sensor detection. In a terminal window, log in as the root user (su) and enter the following (answer yes to the prompts):

sudo sensors-detect

This service will detect hardware sensors on your computer. It will run as the lm_sensors service.

Table 12-3

Sensor Packages and Applications

Sensor Application	Description
lm_sensors	Detects and accesses computer (motherboard) sensors, such as CPU and fan speed. Runs sensors-detect once to configure.
hddtemp	Detects hard drive temperatures.
ksensors	KDE sensor applet, frontend for hddtemp.
xsensors	X sensor package.

For hard drive temperature detection, you install hddtemp . You will have to enable the hddtemp daemon, using the service command as the root user, and then you can start the server.

sudo systemctl enable hddtemp

sudo service hddtemp start

If your hard disks are not detected, you can to configure the /etc/sysconfig/hddtemp file to detect specific hard drives. Add the device name of the drives, using [abcd] to match the last letter, as in /dev/sd[abcd] for the sda, sdb, sdc, and sdd hard drives. In the following example, the device name /dev/sd[adcd] was inserted into the HDDTEMP_OPTIONS entry after 127.0.0.1, the localhost IP address used to reference your system.

HDDTEMP_OPTIONS="-l  127.0.0.1  /dev/sd[abcd]"

To edit the hddtemp file, you must open a terminal window and log in as the root user. Then use an editor such as nano or vi. The nano editor is easier to use. (Press Ctrl+o to save and Ctrl+x to exit; use arrow keys to navigate.)

sudo nano /etc/sysconfig/hddtemp

On Gnome, you can use Xsensors and two GNOME extensions (Add-ons in GNOME Software), the Hardware Sensors Indicator and Sensors. The extension run as indicator menus at the right side of the top panel, next to the System Status Area menu. Xsensors is a standalone application, which you can access from the Applications overview (see Figure 12-14).

Figure 12-14

Xsensors

You can then download and install the ksensors package, the KDE applet for displaying sensor information. On KDE, access Ksensors from Applications ➤ System ➤ Hardware Monitor, where it will appear as an icon on the system tray. Once opened, right-click the KSensors dialog and choose Configure from the pop-up menu to open the KSensors configuration dialog. On the sidebar, choose a sensor category such as Hard Disks, radeon (AMD video card), or nouveau (NVIDIA video card) sensors. On the right pane, you can choose from the Sensors and Preferences tabs. The Preferences tab sets the update frequency and temperature scale. The Sensors tab has subtabs that let you change the name (General), make something visible on the panel (Panel) or dock (Dock), or set an alarm (Alarm). For the System Information tab, a System Panels tab replaces the Sensors tab. It includes subtabs for system information such as CPU Speed and RAM used, which you can make visible and set the tile and colors. To have a temperature displayed on the KSensors panel, but sure to click its visible check box on its Panel tab, and then click on the Apply button. Once configured, click the KSensors icon in the message tray to open the KSensors panel (see Figure 12-15).

Figure 12-15

KSensors

SELinux : Configuration with policycoreutils-gui

With policycoreutils-gui, you can manage and configure your SELinux policies, although you cannot create new policies. You can install policycoreutils-gui using the Packages package manager. can access policycoreutils-gui as SELinux Management. The SELinux Administration window lists several panes with a sidebar menu for Status, Boolean, File Labeling, User Mapping, SELinux User, Network Port, Policy Module, and Process Domain (see Figure 12-16). policycoreutils-gui will invoke the SELinux-management tools, such as sestatus and semanage, with appropriate options to make configuration changes.

Figure 12-16

The system-config-selinux, SELinux Management

The Status pane sets the default and current enforcing modes. Here you can enable or disable SELinux, as well as specify the policy type. By default, the enforcing modes are set to Enforcing. You have the choice of Disable, Permissive, and Enforcing. If you are experiencing difficulties accessing your system, you can set the enforcing modes to Permissive or Disabled. Permissive will allow access, but issue warning messages. Disabled will completely shut down SELinux. The policy is normally targeted, focusing on network services like Samba and Apache. You can download and install more restrictive policies, but you may need a detailed understanding of SELinux to manage them.

This pane also features the relabeling option. Sometimes when you install new server software or update your system, you may need to relabel some of your files and directories. Relabeling will mark the files and directories to correct security access. Check Relabel on Next Reboot to perform the relabeling. It may take some time.

You can also quickly turn the enforcing mode on an off from a terminal window with the setenforce command. The 0 argument turns it off, and the 1 argument turns it on.

setenforce 0

Use the getenforce command to see what your current enforcement mode is.

getenforce

Note

Configuration for general SELinux server settings is carried out in the /etc/selinux/config directory. Currently there are only two settings available: the state and the policy. You set the SELINUX variable to the enforcement mode, such as enforcing or permissive, and the SELINUXTYPE variable to the kind of policy you want.

User Mapping shows the mapping of user login names to SELinux users. Initially, there will be two mappings: the root user and the default user.

The Boolean pane lists various options for targeted services, such as web and FTP servers, NFS, and Samba (see Figure 12-17). With these, you can further modify how each service is controlled. There are expandable menus for different services, such as FTP, Apache web server, and Samba. For example, the FTP entry lets you choose whether to allow access to home directories or to NFS transfers.

Figure 12-17

policycoreutils-gui SELinux Boolean pane

To allow access to many network services, you must not only allow access through your firewall but also through SELinux . The Boolean pane has entries for the different network services. Samba, in particular, has to have its Boolean entries set before you can access Samba shares.

The File Labeling pane will list your system directories and files, showing their security contexts and types. You can edit a file’s properties by selecting the entry and then clicking Properties. This displays a dialog with File Name, Type, SELinux Type, and Multi-Level Security (MLS) levels. MLS gives a security level value to resources. Only users with access to certain levels can access the corresponding files and applications. You can change the SELinux type or the MLS level. For a permissive policy, the MLS level will be s0, allowing access to anyone. You can also add or delete entries.

The SELinux Users pane shows the different kinds of SELinux users. Initially, there will be several user types, including root, system_u, and user_u. The root user has full and total administrative access to the entire system. The system_u user allows users to take on administrative access where needed. The user_u user is for normal users. Each entry lists its SELinux user, SELinux prefix, MLS level, MLS range, and SELinux roles. MLS level is the access level (s0 on a permissive policy), and MLS range is the range of access from SystemLow to SystemHigh. A given user has certain roles available. The root user has the system_r, sysadm_r, and staff_r roles, allowing that person system access, administration capability, and staff user access. The user_u users also have a system_r role, allowing those users to perform system administration, if they have the root user password.

The Network Port pane lists the network protocol, the SELinux type, and the MLS security level for ports on your system. Select an entry and click Properties to change the SELinux type or the MLS level for the port. The Group View button will display the SELinux type, along with a list of the ports they apply to. This view does not display the MLS level, as these apply to ports individually.

The Policy Module pane lists the different SELinux policy modules. Here, you will see modules for different applications, such as Thunderbird and Evolution, as well as device service such as USB. Listed also are desktops such as GNOME. The pane allows you to add or remove modules. You can also enable or additional audit rules for a module for logging.

SELinux Troubleshooting and audit2allow

Fedora includes the SELinux troubleshooter , which notifies users of problems that SELinux detects. Whenever SELinux denies access to a file or application, the kernel issues an AVC (Access Vector Cache) notice. These are analyzed by the SELinux troubleshooter to detect problems that users may have to deal with. When a problem is detected, a SELinux troubleshooter notification is displayed in the desktop message tray, along with the troubleshooter icon, as shown here:

Clicking the icon or notice will open the SELinux troubleshooter window. You can also access it at any time as SELinux Troubleshooter. You can find out more information about SELinux troubleshooter at https://fedorahosted.org/setroubleshoot/ .

The SELinux troubleshooter window displays the current notice (see Figure 12-18). Use the Next and Previous buttons to page through notices. The number of the displayed notice is shown between the Previous and Next buttons.

Figure 12-18

SELinux troubleshooter window

Clicking the Troubleshoot button displays detailed information about the notice, listing what you may be trying to do and possible solutions (see Figure 12-19). To see a description of the problem and solution in a separate window, click the Plugin Details button to the right of the solution description (see Figure 12-20). For a full description, including policy type, first and last time seen, and the raw audit message, click the Details button at the top left, next to the Notify Admin button (see Figure 12-21).

Figure 12-19

SELinux troubleshooter, troubleshoot listing

Figure 12-20

SELinux troubleshooter, plugin details window

Figure 12-21

SELinux troubleshooter, full details window

In many cases, the problem may be simple to fix. Often, the security context of a file has to be renamed to allow access, or access set up to a particular port. In this example, SELinux has to access by the print queue daemon lpqd to the Samba socket (Windows access). The audit2allow and semodule operations are listed as the solution. The audit2allow operation sets the policy, and the semodule operation makes it active. You could open a terminal window, log in as the root user (sudo su), and run the commands. You could copy and paste them to the terminal window from the Details window.

ausearch -c 'lpqd' --raw | audit2allow -M my-lpqd

semodule -X 300 -i my-lpqd.pp

You could also use the SELinux Management tool to make the changes. In this case, you’d choose the Network Port tab and click the Add button to open the Add Network Port dialog.

To see a full listing of error messages at once, click the List All Alerts button to display a list of alert notices, along with their date, the number of times the error has occurred, its category, and a brief explanation (see Figure 12-22). The Delete button lets you delete alerts.

Figure 12-22

SELinux troubleshooter alert list

For folders, often the problem is a simple security permission , a security context. For a security context change, you use the chcon command. In the following example, access is granted by Samba to the /mymedia directory.

chcon -R -t samba_share_t '/mymedia'

More complicated problems, especially ones that are unknown, may require you to create a new policy module, using the AVC messages in the audit log. To do this, you can use the audit2allow command. The command will take an audit AVC message and generate commands to allow SELinux access. The audit log used on Fedora is /var/log/audit/audit.log. This log is output to audit2allow—you then can use its -M option to create a policy module.

cat /var/log/audit/audit.log | audit2allow -M local

You then use the semodule command to load the module.

semodule -i local.pp

If you want to first edit the allowable entries, you can use the following code to create a .te file of the local module, local.te, which you can then edit.

audit2allow -m local -i  /var/log/audit/audit.log   >  local.te

Once you have edited the .te file, you can then use checkmodule to compile the module, then semodule_package to create the policy module, local.pp. Then you can install it with semodule. You first create a .mod file with checkmodule and then a .pp file with semodule_package.

checkmodule -M -m -o local.mod local.te

semodule_package -o local.pp  -m local.mod

semodule -i local.pp

In the preceding example, the policy module is called local. If you later want to create a new module with audit2allow, you should either use a different name or append the output to the .te file, using the -o option.