I’ve migrated all my computers and servers to the Fedora Linux distribution over the last three months. I’ve been with Debian — and occasionally Ubuntu — for the last sexennium, but it was time for change. I still like Debian, but the software packages I care about move way too slowly and I started having more and more problems with stale packages and an overall decreased user experience and system stability.
I installed Fedora for the first time on my Lenovo Yoga 3 Pro laptop. Hardware-wise everything but the Broadcom Wi-Fi module — which I later replaced with an Intel model — worked out-of-the-box with no configuration. Unlike my experiences with Debian on the same machine, I didn’t have to make any configuration adjustments to support the laptop’s high resolution display.
Both Debian and Fedora uses GNOME 3 as their default desktop environment, so I didn’t really expect much to change in that department except for a few months newer version in Fedora. I was pleasantly surprised to have been mistaken with that expectation. Running under Fedora; GNOME is faster, more stable, and more integrated with everything. I’ve followed some GNOME development and bloggers and was thrilled to actually see and use the things I’d read about come to life on my own desktop. Programs that crashed every two weeks on Debian seem rock stable in Fedora. The only desktop program that still crash on me fairly regularly is Firefox.
As well as a more pleasant and trouble free day-to-day desktop, Fedora has introduced me to some new technologies: RPM packaging and DNF package manager, FirewallD, and Security Enhanced Linux (SELinux). I’ll next talk about each of them in turn.
DNF and software packages
I only have bad memories from playing with YUM before I really knew much about Linux at all. My experience with DNF couldn’t have been more different.
The transition from DEB packages and the apt command line front-end in Debian to RPM packages and dnf front-end was a smaller transition than I had expected it to be. dnf and apt’s command syntaxes are very similar and they work in mostly the same way. I’ve not managed to get myself into too many dependency and package conflicts with dnf; something that happen every other month with apt. I’ve only ever gotten into trouble with the third-party RPM Fusion repository. It’s development is not kept in sync with Fedora so some updates to Fedora can break packages in RPM Fusion (packages like VLC Media Player, Steam, and VirtualBox).
The software selection in Fedora’s repositories is smaller than Debian’s, but the only package I missed was VirtualBox. I’ve replaced the VirtualBox visualization tool with GNOME Boxes and I’m much happier with Boxes than I’ve been with VirtualBox in a long time. Boxes runs Windows 10 really well and is better integrated with the Linux desktop when compared to VirtualBox. In Debian, the VirtualBox packages had a tendency to disappear from the repositories for weeks on end as the Linux Kernel and VirtualBox’s Kernel extensions fell out of sync. (The same problem appears with the VirtualBox packages in “RPM fusion” — a third-party repository for Fedora.) GNOME Boxes are built on technologies with more permissive licenses that are come built in to the Linux Kernel, so upgrading isn’t an issue. The interface is also more modern and sleeker. I’ll write more about using GNOME Boxes at at a later time.
I’m generally positive to FirewallD as a replacement to Uncomplicated Firewall. Both are front-ends to the Linux Kernel’s built-in firewall and work similar enough for one to be a drop-in replacement for the other. Fedora ships with the firewall enabled by default, unlike Debian and Ubuntu. I’ve previously called out Apple for not enabling the Mac firewall by default and I’m no more favorable to Debian for not enabling it either. FirewallD’s firewall zoning system is interesting though I have not had much use for it as of yet.
For desktop use, FirewallD leaves something to be desired when graphical applications have their network connections blocked. Ideally, there should be a notification or dialog informing the average user about programs not behaving correctly because the firewall blocked connection attempts . I don’t believe the same holds true for server and background services, but foreground applications and games could really benefit from this.
See last week’s article on FirewallD for more about Fedora’s firewall.
Security Enhanced Linux (SELinux)
SELinux is enabled by default in Fedora. I’ve been aware of SELinux for some years but have never enabled it nor read up on it. Finding it already enabled on your system can be a bit confusing when it blocks unapproved behavior and you don’t expect it to be present. Many end up disabling it all together because they only encounter it when they have a concrete problem and a short deadline to fix something. Learning to master SELinux is not on their agenda at the time, and many forum threads online say you shouldn’t disable SELinux but disabling it will solve the “problem”.
Conceptually SELinux is pretty simple once you get it, yet most documentation is very technical. In short, there are multiple security policy presets. Files and sockets are assigned labels that have policies associated with them that specify who else can access the files and what other files they’re allowed to access. I’ve had some issues with not being able to access incorrectly labeled files from PHP-FPM or cache files from Apache where nothing gets logged. I’m still not clear why somethings that are rejected by SELinux enforcement don’t end up in the audit logs; making them much harder to troubleshoot.
I feel more confident with my servers protected by SELinux as an additional layer of security. My various web sites wouldn’t be allowed to do anything too unexpected with SELinux keeping an watchful eye on things. I regret not sitting myself down to learn about SELinux and setting it up years ago.
On the desktop side, I’ve only ever run into SELinux problems with games installed through Steam. Steam and the games it distributes are not configured for an SELinux environment and the SELinux Troubleshooter is no help. I’ve taken to setting SELinux in permissive mode before running any games; otherwise I risk games crashing on start-up, not being able to save game progress, and a heap of other issues. This is far from an ideal solution but the problems encountered with these non-SELinux aware games are often much more complex than with other software. I may spend some time finding a better solution to Steam and SELinux issues at a later time.
My overall impression of Fedora are very favorable. So favorable that after some initial testing, I started deploying it everywhere. The server that powers this website is now running Fedora and protected by FirewallD and SELinux.