About Fedora Linux distro.

Sunday, September 27, 2020

Fedora 32 : Can be better? part 012.

Pidgin is a chat program that lets you log in to accounts on multiple chat networks simultaneously.

Pidgin can be installed on multiple operating systems and platforms.

Pidgin is compatible with the following chat networks out of the box: I.R.C., Jabber/XMPP, Bonjour, Gadu-Gadu, IRC, Novell GroupWise Messenger, Lotus Sametime, SILC, SIMPLE, and Zephyr. Can it be better?

The only problem a user in need of help may have been in the command line environment. Obviously, in this case, this application cannot be used. I would suggest building a terminal application like WeeChat dedicated to Fedora users and including I.R.C channels.

Now, let's install this application.

[root@desk mythcat]# dnf install pidgin.x86_64
Last metadata expiration check: 0:45:32 ago on Sun 27 Sep 2020 04:21:51 PM EEST.
Dependencies resolved.
==============================================================================================
 Package                     Architecture    Version                   Repository        Size
==============================================================================================
Installing:
 pidgin                      x86_64          2.13.0-18.fc32            updates          1.4 M
Installing dependencies:
 cyrus-sasl-md5              x86_64          2.1.27-4.fc32             fedora            41 k
 cyrus-sasl-scram            x86_64          2.1.27-4.fc32             fedora            27 k
 farstream02                 x86_64          0.2.9-1.fc32              fedora           239 k
 gtkspell                    x86_64          2.0.16-20.fc32            fedora            43 k
 libgadu                     x86_64          1.12.2-10.fc32            fedora           110 k
 libnice-gstreamer1          x86_64          0.1.17-2.fc32             updates           20 k
 libpurple                   x86_64          2.13.0-18.fc32            updates          5.2 M
 meanwhile                   x86_64          1.1.0-28.fc32             fedora           106 k

Transaction Summary
==============================================================================================
Install  9 Packages

Total download size: 7.2 M
Installed size: 31 M
Is this ok [y/N]: y
Downloading Packages:
...
Complete!

Tuesday, September 22, 2020

Fedora 32 : Testing the Bookworm software.

The current version of Bookworm (v1.1.2) supports eBooks in the following file formats: EPUB, PDF, MOBI, FB2, CBR, CBZ.

First, I install this software with dnf tool:

[root@desk mythcat]# dnf install bookworm.x86_64 
...
Installed:
  bookworm-1.1.3-0.1.20200414git.c7c3643.fc32.x86_64                                          

Complete!

I tested with some old EPUB and PDF files and I'm not very happy with formatting text on the page.

HI tested with some old EPUB and PDF files and I'm not very happy with the formatting for certain texts on the page, like source code in programming.

Bookworm does one thing and does it well for this simple reader.

You can help this project on GitHub.

Monday, September 21, 2020

Fedora 32 : Can be better? part 011.

Four days ago, the well-known Gnome environment came with a new release.

I guess it will be implemented in Fedora distro soon.

Sunday, September 20, 2020

Fedora 32 : Can be better? part 010.

In this tutorial I will show you how can easy learn with a simple example to have a better Fedora distro with SELinux.

SELinux uses a policy store to keep track of its loaded policy modules and related settings.

You can see my active policy store name is MLS.

[root@desk mythcat]# sestatus | grep Loaded
Loaded policy name:             mls

I want to create policy in the most easy way to denny memory.

I can use many way to do that or find it on SELinux.

If you want to deny user domains applications to map a memory region as both executable and writable you can use deny_execmem.

This is dangerous and the executable should be reported in bugzilla and is is enabled by default.

You must turn on the deny_execmem boolean.

setsebool -P deny_execmem 1

Let's use it:

[root@desk mythcat]# setsebool -P deny_execmem 1
[root@desk mythcat]# ausearch -c 'Web Content' --raw | audit2allow -M my-WebContent
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i my-WebContent.pp

[root@desk mythcat]# semodule -X 300 -i my-WebContent.pp

Let's see if this SELinux is currently loaded:

[root@desk mythcat]# semodule -l | grep Web
my-WebContent

Tuesday, September 15, 2020

Fedora 32 : Can be better? part 008.

The Fedora development is not very active in the last programming language.
The main reason is the build new packages and put on the repository.
I think this can be improved with a good tool to solve all dependencies and link all into a good package.
Today I tested the new Python version 3.5.10 released on September 5th, 2020.
I download an unzip the archive and I use these commands to build this python version

[mythcat@desk ~]$ cd Python-3.5.10/
[mythcat@desk Python-3.5.10]$ ./configure
checking build system type... x86_64-pc-linux-gnu
checking host system type... x86_64-pc-linux-gnu
checking for python3.5... no
checking for python3... python3
checking for --enable-universalsdk... no
...

The next command is make:

[mythcat@desk Python-3.5.10]$ make
gcc -pthread -c -Wno-unused-result -Wsign-compare -DNDEBUG -g -fwrapv -O3 -Wall -Wstrict-prototypes
   -Werror=declaration-after-statement   -I. -I./Include    -DPy_BUILD_CORE -o Programs/python.o 
./Programs/python.c
...
# On Darwin, always use the python version of the script, the shell
# version doesn't use the compiler customizations that are provided
# in python (_osx_support.py).
if test `uname -s` = Darwin; then \
 cp python-config.py python-config; \
fi

Then I used make test.

[mythcat@desk Python-3.5.10]$ make test
running build
running build_ext
INFO: Can't locate Tcl/Tk libs and/or headers

Python build finished successfully!
...

For the last part I used this command:

[mythcat@desk Python-3.5.10]$ sudo make install
...

The result of this is ...

[mythcat@desk Python-3.5.10]$ ls
aclocal.m4     config.sub    Include          Mac              Modules  platform        python            README
build          configure     install-sh       Makefile         Objects  Programs        Python            setup.py
config.guess   configure.ac  Lib              Makefile.pre     Parser   pybuilddir.txt  python-config     Tools
config.log     Doc           libpython3.5m.a  Makefile.pre.in  PC       pyconfig.h      python-config.py
config.status  Grammar       LICENSE          Misc             PCbuild  pyconfig.h.in   python-gdb.py
[mythcat@desk Python-3.5.10]$ ./python 
Python 3.5.10 (default, Sep  6 2020, 22:32:07) 
[GCC 10.2.1 20200723 (Red Hat 10.2.1-1)] on linux
Type "help", "copyright", "credits" or "license" for more information.
...

Fedora 32 : Can be better? part 009.

The Fedora distro will be better if the development team will come with useful, accurate, and up-to-date information. A very simple example is C and C ++ programming and more precisely how to build programs and packages. Let's take a simple example of creating interfaces with GTK. Let's take a simple example of creating interfaces with GTK that require knowledge of the GCC compiler. First I install gtk3-devel package:

dnf install gtk3-devel

The Fedora team come with a group install with many feature.

#dnf -y groupinstall "Development Tools"

I test with these examples:

#include 

int main(int   argc,
     char *argv[])
{
  GtkWidget *window;
    
  gtk_init (&argc, &argv);
    
  window = gtk_window_new (GTK_WINDOW_TOPLEVEL);
  gtk_window_set_title (GTK_WINDOW (window), "Hello World");
  gtk_widget_show  (window);
    
  gtk_main ();
    
  return 0;
}

This create a simple window with Hello World title.

#include 

static void on_window_closed(GtkWidget * widget, gpointer data)
{
    gtk_main_quit();
}

int main(int argc, char * argv[])
{
    GtkWidget * window, * label;

    gtk_init(&argc, &argv);

    window = gtk_window_new(GTK_WINDOW_TOPLEVEL);

    g_signal_connect( window, "destroy", G_CALLBACK(on_window_closed), NULL);

    label = gtk_label_new("Hello, World!");

    gtk_container_add(GTK_CONTAINER(window), label);

    gtk_widget_show(label);
    gtk_widget_show(window);

    gtk_main();

    return 0;
}

This is the same example but you will see a label with te text Hello, World!.
The last example is more complex and involves the use of signals attached to the close button and the OK button.
The main window contains three labels with my name and an editbox in which you have to enter my nickname mythcat or something else.

#include 

const char *password = "mythcat";

// close the window application 
void closeApp(GtkWidget *widget, gpointer data)
{
    gtk_main_quit();
}

// show text when you click on button 
void button_clicked(GtkWidget *button, gpointer data)
{
    const char *password_text = gtk_entry_get_text(GTK_ENTRY((GtkWidget *)data));

    if(strcmp(password_text, password) == 0)
        printf("Access granted for user: \"%s\"\n",password);
    else
        printf("Access denied!\n");
 
}

int main( int argc, char *argv[])
{
    GtkWidget *window;
    GtkWidget *label1, *label2, *label3;
    GtkWidget *hbox;
    GtkWidget *vbox;
    GtkWidget *ok_button;
    GtkWidget *password_entry;

    gtk_init(&argc, &argv);

    window = gtk_window_new(GTK_WINDOW_TOPLEVEL);

    gtk_window_set_title(GTK_WINDOW(window), "Labels, password with one button and layout");
    gtk_window_set_position(GTK_WINDOW(window), GTK_WIN_POS_CENTER);
    gtk_window_set_default_size(GTK_WINDOW(window), 300, 200);

    g_signal_connect(G_OBJECT(window), "destroy", G_CALLBACK(closeApp), NULL);

    label1 = gtk_label_new("Catalin");
    label2 = gtk_label_new("George");
    label3 = gtk_label_new("Festila");

    password_entry = gtk_entry_new();
    gtk_entry_set_visibility(GTK_ENTRY(password_entry), FALSE);
    ok_button = gtk_button_new_with_label("OK");
    g_signal_connect(G_OBJECT(ok_button), "clicked", G_CALLBACK(button_clicked),password_entry);

    hbox = gtk_box_new(FALSE, 1);
    vbox = gtk_box_new(TRUE, 2);

    gtk_box_pack_start(GTK_BOX(vbox), label1, TRUE, FALSE, 5);
    gtk_box_pack_start(GTK_BOX(vbox), label2, TRUE, FALSE, 5);
    gtk_box_pack_start(GTK_BOX(hbox), vbox, FALSE, TRUE, 5);
    gtk_box_pack_start(GTK_BOX(hbox), label3, FALSE, FALSE, 5);
    gtk_box_pack_start(GTK_BOX(vbox), ok_button, FALSE, FALSE, 5);
    gtk_box_pack_start(GTK_BOX(hbox), password_entry, TRUE, FALSE, 5);
    gtk_container_add(GTK_CONTAINER(window), hbox);

    gtk_widget_show_all(window);

    gtk_main();

    return 0;
}

The result can be seen in the following image:

I put the source code for the last example in a test.c file and compiled it like this:

[mythcat@desk ~]$ gcc test.c $(pkg-config --cflags --libs gtk+-3.0) -o test
[mythcat@desk ~]$ ./test

Saturday, September 5, 2020

Fedora 32 : Can be better? part 007.

Another article in the Can be better? series that deals with a very popular feature called SELinux. Here that in this seventh part I will introduce you to the world of SELinux in my own style of simply explaining some SElinux configurations.
Let's recap some basic elements specific to SELinux.
Multi Category Security or MCS is a discretionary implementation of the mandatory Multi Level Security
MCS basically tries to use the MLS attributes: Security Levels and Security Compartments.
MCS implemented have one or more extra fields in their Security Context tuple: user_u:role_r:type_t:s0:c0.
You can see this with id -Z.
The MLS Range contains two components, the low (classification and compartments) and high (clearance).
sensitivity label build from the low component: s2 with c1, c2 ...
MCS does have 1024 categories that can be assigned to processes and files.
On an MLS system are two special labels, SystemLow(s0) and SystemHigh (s15:c0.c255).
The upper end of the MCS range is in an MCS environment s0:c0.c1023 is SystemHigh.
By default, everything in an MCS environment has access to SystemLow or s0.
You will able to access files with s0:c122 and s0:c123 categories.
The MLS translation mechanism to give a more literal meaning to the machine-like policy used in the MLS sensitivity and category declaration.
The MLS rule says: "no read up and no write down".
The MLS model is used to enforce confidentiality.
All processes that are forced to operate with Security Level.
The s0 Security Level or SystemLow level is the lower end of the Security Level Range in an MLS environment.
If you do not have the correct configurations then the SELinux setting operation for Enforcing could generate errors in the linux operation after reboot or during Linux operation.
You will need to have the root password and return for new SELinux settings.
Let's solve this issue: put SELinux into Enforce mode but give my user possibility to use command sudo su.
First, you need to see this table:

SELinux user	Description	Used for
unconfined_u	SELinux user meant for unrestricted users. Unconfined users have hardly any restrictions in a SELinux context and are meant for systems where only Internet-facing services should run confined (i.e. the targeted SELinux policy store).	All users on a targeted system
root	The SELinux user meant for the root account	The Linux root account
sysadm_u	SELinux user with direct system administrative role assigned	Linux accounts that only perform administrative tasks
staff_u	SELinux user for operators that need to run both non-administrative commands (through the `staff_r` role) and administrative commands (through the `sysadm_r` role).	Linux accounts used for both end user usage as well as administrative tasks
user_u	SELinux user for non-privileged accounts	Unprivileged Linux accounts
system_u	Special SELinux user meant for system services	Not used directly

Is need to change my user mythcat to staff_u with a good MLS Range.

[root@desk mythcat]# semanage login --modify --seuser staff_u --range s2:c100 mythcat
[root@desk mythcat]# semanage login --modify --seuser staff_u --range s0-s15:c0.c1023 mythcat
[root@desk mythcat]# semanage login -l 
[root@desk mythcat]# setenforce enforcing
[root@desk mythcat]# getenforce
Enforcing
[root@desk mythcat]# semanage login -l 
ValueError: Cannot read policy store.

After reboot need some time to load the new changes, first is the last configuration.

[mythcat@desk ~]$ semanage login -l
ValueError: SELinux policy is not managed or store cannot be accessed.
[mythcat@desk ~]$ id -Z
staff_u:staff_r:staff_t:s0-s15:c0.c1023
[mythcat@desk ~]$ sestatus 
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: mls
Current mode: permissive
Mode from config file: permissive
Policy MLS status: enabled
Policy deny_unknown status: denied
Memory protection checking: actual (secure)
Max kernel policy version: 33

Few seconds later all is good:

[mythcat@desk ~]$ sudo su 
[sudo] password for mythcat: 
bash: /root/.bashrc: Permission denied
bash-5.0# ls
bash-5.0# sestatus 
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: mls
Current mode: enforcing
Mode from config file: permissive
Policy MLS status: enabled
Policy deny_unknown status: denied
Memory protection checking: actual (secure)
Max kernel policy version: 33
bash-5.0# id -Z
staff_u:staff_r:staff_t:s0-s15:c0.c1023
bash-5.0# exit 
exit
[mythcat@desk ~]$ sestatus 
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: mls
Current mode: enforcing
Mode from config file: permissive
Policy MLS status: enabled
Policy deny_unknown status: denied
Memory protection checking: actual (secure)
Max kernel policy version: 33

Everything is fine for now, this delay is the reason for using the selinux kernel settings. More information about Multi-Level Security and Multi-Category Security can be found on this webpage.

Pages