+ [id='Configuring-networking-with-nmcli']

+ = Configuring networking with nmcli

+ 

+ How to configure networking using the [application]*nmcli* (NetworkManager Command Line Interface) command-line utility.

+ 

+ include::modules/con_Getting-started-with-nmcli.adoc[leveloffset=+1]

+ 

+ include::modules/proc_Brief-selection-of-nmcli-examples.adoc[leveloffset=+1]

+ 

+ include::modules/con_Understanding-the-nmcli-options.adoc[leveloffset=+1]

+ 

+ include::modules/proc_Configuring-networking-with-nmcli.adoc[leveloffset=+1]

+ :md: ./modules

+ 

+ include::{md}/proc_displaying_user_prompt_on_gnome_login_screen.adoc[leveloffset=+1]

+ :experimental:

+ :imagesdir: ./images

+ :md: ./modules

+ 

+ [[installing-and-running-vlc]]

+ = Installing and Running VLC

+ 

+ include::3rdparty-message.adoc[]

+ 

+ :leveloffset: +1

+ 

+ include::{md}/proc_installing_vlc.adoc[]

+ include::{md}/proc_running_vlc.adoc[]

+ include::{md}/concept_third-party-repositories.adoc[]

+ include::{md}/con_the-purpose-of-rpm-fusion.adoc[]

+ 

+ :leveloffset: 0

+ // Module included in the following assemblies:

+ //

+ // assembly_Configuring-networking-with-nmcli.adoc

+ 

+ [id='Getting-started-with-nmcli']

+ = Getting started with nmcli

+ 

+ The [application]*nmcli* (NetworkManager Command Line Interface) command-line utility is used for controlling NetworkManager and reporting network status. It can be utilized as a replacement for [application]*nm-applet* or other graphical clients. [application]*nmcli* is used to create, display, edit, delete, activate, and deactivate network connections, as well as control and display network device status.

+ 

+ The [application]*nmcli* utility can be used by both users and scripts for controlling [application]*NetworkManager*:

+ 

+ * For servers, headless machines, and terminals, [application]*nmcli* can be used to control [application]*NetworkManager* directly, without GUI, including creating, editing, starting and stopping network connections and viewing network status.

+ 

+ * For scripts, [application]*nmcli* supports a terse output format which is better suited for script processing. It is a way to integrate network configuration instead of managing network connections manually.

+ 

+ The basic format of a [application]*nmcli* command is as follows:

+ 

+ [literal,subs="+quotes,verbatim"]

+ ....

+ nmcli [OPTIONS] OBJECT { COMMAND | help }

+ ....

+ 

+ where OBJECT can be one of the following options: `general`, `networking`, `radio`, `connection`, `device`, `agent`, and `monitor`. You can use any prefix of these options in your commands. For example, [command]`nmcli con help`, [command]`nmcli c help`, [command]`nmcli connection help` generate the same output.

+ 

+ Some of useful optional OPTIONS to get started are:

+ 

+ -t, terse::

+ +

+ This mode can be used for computer script processing as you can see a terse output displaying only the values.

+ +

+ [[ex-Viewing_a_terse_output_for_scripts]]

+ .Viewing a terse output

+ ====

+ 

+ [literal,subs="+quotes,verbatim,macros"]

+ ....

+ ~]$ pass:attributes[{blank}][command]`nmcli -t device`

+ ens3:ethernet:connected:Profile 1

+ lo:loopback:unmanaged:

+ 

+ ....

+ 

+ ====

+ 

+ -f, field::

+ +

+ This option specifies what fields can be displayed in output. For example, NAME,UUID,TYPE,AUTOCONNECT,ACTIVE,DEVICE,STATE. You can use one or more fields. If you want to use more, do not use space after comma to separate the fields.

+ +

+ [[ex-Specifying_Fields_in_the_output]]

+ .Specifying Fields in the output

+ ====

+ 

+ [literal,subs="+quotes,verbatim,macros"]

+ ....

+ ~]$ pass:attributes[{blank}][command]`nmcli -f DEVICE,TYPE device`

+ DEVICE  TYPE

+ ens3    ethernet

+ lo      loopback

+ ....

+ 

+ or even better for scripting:

+ 

+ [literal,subs="+quotes,verbatim,macros"]

+ ....

+ ~]$ pass:attributes[{blank}][command]`nmcli -t -f DEVICE,TYPE device`

+ ens3:ethernet

+ lo:loopback

+ 

+ ....

+ 

+ ====

+ 

+ -p, pretty::

+ +

+ This option causes [application]*nmcli* to produce human-readable output. For example, values are aligned and headers are printed.

+ +

+ [[ex-Viewing_an_output_in_pretty_Mode]]

+ .Viewing an output in pretty mode

+ ====

+ 

+ [literal,subs="+quotes,verbatim,macros"]

+ ....

+ ~]$ pass:attributes[{blank}][command]`nmcli -p device`

+ =====================

+   Status of devices

+ =====================

+ DEVICE  TYPE      STATE      CONNECTION

+ --------------------------------------------------------------

+ ens3    ethernet  connected  Profile 1

+ lo      loopback  unmanaged  --

+ 

+ ....

+ 

+ ====

+ 

+ -h, help::

+ +

+ Prints help information.

+ 

+ The [application]*nmcli* tool has some built-in context-sensitive help. To list the available options and object names:

+ [literal,subs="+quotes,verbatim,macros"]

+ ....

+ ~]$ [command]`nmcli help`

+ ....

+ 

+ To list available actions related to a specified object:

+ [literal,subs="+quotes,verbatim,macros"]

+ ....

+ ~]$ [command]`nmcli _object_ help`

+ ....

+ 

+ For example,

+ [literal,subs="+quotes,verbatim,macros"]

+ ....

+ ~]$ [command]`nmcli c help`

+ ....

+ 

+ [discrete]

+ == Additional resources

+ * link:++https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/networking_guide/sec-introduction_to_networkmanager++[Introduction to NetworkManager]

+ 

+ * link:++https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/networking_guide/sec-installing_networkmanager#sec-Interacting_with_NetworkManager[Interacting with NetworkManager]

+ // Module included in the following assemblies:

+ //

+ // assembly_Configuring-networking-with-nmcli.adoc

+ 

+ [id='Understanding-the-nmcli-options']

+ = The nmcli options

+ 

+ Following are some of the important [application]*nmcli* property options:

+ 

+ 

+ [option]`connection.type`::

+ +

+ A connection type. Allowed values are: adsl, bond, bond-slave, bridge, bridge-slave, bluetooth, cdma, ethernet, gsm, infiniband, olpc-mesh, team, team-slave, vlan, wifi, wimax. Each connection type has type-specific command options. For example:

+ +

+ ** A `gsm` connection requires the access point name specified in an [option]`apn`.

+ +

+ [literal,subs="+quotes,verbatim,macros"]

+ ....

+ nmcli c add connection.type gsm apn pass:quotes[_access_point_name_]

+ ....

+ +

+ ** A `wifi` device requires the service set identifier specified in a [option]`ssid`.

+ +

+ [literal,subs="+quotes,verbatim,macros"]

+ ....

+ nmcli c add connection.type wifi ssid

+ _My identifier_

+ ....

+ 

+ You can see the `TYPE_SPECIFIC_OPTIONS` list in the [citetitle]_pass:attributes[{blank}]*nmcli*(1)_ man page.

+ 

+ [option]`connection.interface-name`::

+ +

+ A device name relevant for the connection.

+ +

+ [literal,subs="+quotes,verbatim,macros"]

+ ....

+ nmcli con add connection.interface-name _eth0_ type _ethernet_

+ ....

+ 

+ [option]`connection.id`::

+ +

+ A name used for the connection profile. If you do not specify a connection name, one will be generated as follows:

+ +

+ [literal,subs="+quotes,verbatim,macros"]

+ ....

+ _connection.type -connection.interface-name_

+ ....

+ +

+ The [option]`connection.id` is the name of a _connection profile_ and should not be confused with the interface name which denotes a device (`wlan0`, `ens3`, `em1`). However, users can name the connections after interfaces, but they are not the same thing. There can be multiple connection profiles available for a device. This is particularly useful for mobile devices or when switching a network cable back and forth between different devices. Rather than edit the configuration, create different profiles and apply them to the interface as needed. The [option]`id` option also refers to the connection profile name.

+ 

+ The most important options for [application]*nmcli* commands such as `show`, `up`, `down` are:

+ 

+ [option]`id`::

+ +

+ An identification string assigned by the user to a connection profile. Id can be used in nmcli connection commands to identify a connection. The NAME field in the command output always denotes the connection id. It refers to the same connection profile name that the con-name does.

+ 

+ [option]`uuid`::

+ +

+ A unique identification string assigned by the system to a connection profile. The `uuid` can be used in [command]`nmcli connection` commands to identify a connection.

+ 

+ [discrete]

+ == Additional resources

+ 

+ *  See the comprehensive list in the [citetitle]_pass:attributes[{blank}]*nmcli*(1)_ man page.

+ [id='viewing-logs']

+ = Viewing logs

+ 

+ Log files contain messages about the system, including the kernel, services, and applications running on it. There are different log files for different information. For example, there is a default system log file, a log file for security messages, and a log file for cron tasks.

+ 

+ [id='locating-log-files']

+ == Locating log files

+ 

+ Most log files are located in the `/var/log/` directory.

+ 

+ `Rsyslog` is a system utility that provides support for logging. To install the _rsyslog_ package:

+ ----

+ $ sudo dnf install rsyslog

+ ----

+ To view a list of log files maintained by the related daemon, `rsyslogd`, enter the following command:

+ ----

+ $ less /etc/rsyslog.conf

+ ----

+ 

+ [id='viewing-log-files']

+ == Viewing log files

+ 

+ In Fedora, there are two ways to open the log files:

+ 

+ * The command line

+ 

+ * A GUI application

+ // Module included in the following assemblies:

+ //

+ // assembly_Configuring-networking-with-nmcli.adoc

+ 

+ [id='Brief-selection-of-nmcli-examples']

+ = Brief Selection of nmcli Examples

+ 

+ This section provides a brief selection of [application]*nmcli* examples.

+ 

+ [discrete]

+ == Prerequisites

+ <<Getting-started-with-nmcli>>

+ 

+ 

+ .Checking the overall status of NetworkManager

+ ====

+ 

+ [literal,subs="+quotes,verbatim,macros"]

+ ....

+ ~]$ pass:attributes[{blank}][command]`nmcli general status`

+ STATE      CONNECTIVITY  WIFI-HW  WIFI     WWAN-HW  WWAN

+ connected  full          enabled  enabled  enabled  enabled

+ ....

+ 

+ In terse mode:

+ 

+ [literal,subs="+quotes,verbatim,macros"]

+ ....

+ ~]$ pass:attributes[{blank}][command]`nmcli -t -f STATE general`

+ connected

+ ....

+ 

+ ====

+ 

+ .Viewing NetworkManager logging status

+ ====

+ 

+ [literal,subs="+quotes,verbatim"]

+ ....

+ ~]$ [command]`nmcli general logging`

+   LEVEL  DOMAINS

+   INFO   PLATFORM,RFKILL,ETHER,WIFI,BT,MB,DHCP4,DHCP6,PPP,WIFI_SCAN,IP4,IP6,A

+ UTOIP4,DNS,VPN,SHARING,SUPPLICANT,AGENTS,SETTINGS,SUSPEND,CORE,DEVICE,OLPC,

+ WIMAX,INFINIBAND,FIREWALL,ADSL,BOND,VLAN,BRIDGE,DBUS_PROPS,TEAM,CONCHECK,DC

+ B,DISPATCH

+ ....

+ 

+ ====

+ 

+ .Viewing all connections

+ ====

+ 

+ [literal,subs="+quotes,verbatim,macros"]

+ ....

+ ~]$ pass:attributes[{blank}][command]`nmcli connection show`

+   NAME       UUID                                  TYPE      DEVICE

+ Profile 1  db1060e9-c164-476f-b2b5-caec62dc1b05  ethernet    ens3

+ ens3       aaf6eb56-73e5-4746-9037-eed42caa8a65  ethernet    --

+ ....

+ 

+ ====

+ 

+ .Viewing only currently active connections

+ ====

+ 

+ [literal,subs="+quotes,verbatim,macros"]

+ ....

+ ~]$ pass:attributes[{blank}][command]`nmcli connection show --active`

+   NAME       UUID                                  TYPE      DEVICE

+ Profile 1  db1060e9-c164-476f-b2b5-caec62dc1b05  ethernet     ens3

+ ....

+ 

+ ====

+ 

+ .Viewing only devices recognized by [application]*NetworkManager* and their state

+ ====

+ 

+ [literal,subs="+quotes,verbatim,macros"]

+ ....

+ ~]$ pass:attributes[{blank}][command]`nmcli device status`

+ DEVICE  TYPE      STATE      CONNECTION

+ ens3    ethernet  connected  Profile 1

+ lo      loopback  unmanaged  --

+ ....

+ 

+ ====

+ 

+ You can also use the following abbreviations of the [application]*nmcli* commands:

+ 

+ [[tabl-nmcli_examples]]

+ .Abbreviations of some nmcli commands

+ 

+ [options="header"]

+ |===

+ |nmcli command|abbreviation

+ |nmcli general status|nmcli g

+ |nmcli general logging|nmcli g log

+ |nmcli connection show|nmcli con show

+ |nmcli connection show --active|nmcli con show -a

+ |nmcli device status|nmcli dev

+ |===

+ 

+ [discrete]

+ == Additional resources

+ 

+ * For more examples, see the

+ [citetitle]_pass:attributes[{blank}]*nmcli-examples*(5)_

+ man page.

+ [id=displaying-user-prompt-instead-of-list-of-users-on-GNOME-login-screen]

+ = Displaying a user prompt instead of a list of users on the GNOME login screen

+ 

+ To show a user prompt on the GNOME login screen, open a terminal and perform the following steps:

+ 

+ . Create a file for the GNOME Display Manager (GDM) configuration.

+ +

+ ----

+ $ sudo mkdir /etc/dconf/db/gdm.d

+ ----

+ +

+ ----

+ $ vim /etc/dconf/db/gdm.d/01-hide-users

+ ----

+ 

+ . In a text editor of your choice, `vim` in this example, insert the following content to the `/etc/dconf/db/gdm.d/01-hide-users` file:

+ +

+ ----

+ [org/gnome/login-screen]

+ banner-message-enable=true

+ banner-message-text='ENTER ANY MESSAGE YOU WANT HERE. FOR A NEW LINE USE \n.'

+ disable-restart-buttons=true

+ disable-user-list=true

+ ----

+ +

+ [NOTE]

+ --

+ To not display the banner message, do not include the first and second line. To enable the `Restart` button, do not include the fourth line.

+ --

+ +

+ Save the file and return to the terminal.

+ 

+ . Create another file for GDM configuration.

+ +

+ ----

+ $ sudo vim /etc/dconf/profile/gdm

+ ----

+ +

+ Insert the following content in the `/etc/dconf/profile/gdm` file:

+ +

+ ----

+ user-db:user

+ system-db:gdm

+ ----

+ +

+ Save the file.

+ 

+ . Enter the following command:

+ +

+ ----

+ $ sudo dconf update

+ ----

+ 

+ . Check if the command was executed correctly:

+ +

+ ----

+ $ ls /etc/dconf/db

+ ----

+ +

+ The output should contain the following:

+ +

+ ----

+ gdm gdm.d ... [output truncated]

+ ----

+ 

+ . Restart GDM for the changes to take effect.

+ +

+ ----

+ $ sudo systemctl restart gdm

+ ----

+ [[installing-vlc]]

+ = Installing VLC

+ 

+ To install the link:https://www.videolan.org/[VLC media player], you must enable a third-party repository from link:https://rpmfusion.org/[RPM Fusion].

+ 

+ . Install package provided by RPM Fusion to enable the repository:

+ +

+ ----

+ $ sudo dnf install https://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-$(rpm -E %fedora).noarch.rpm

+ ----

+ 

+ . Install VLC:

+ +

+ ----

+ $ sudo dnf install vlc

+ ----

+ 

+ [discrete]

+ == Additional resources

+ 

+ * link:https://www.videolan.org/vlc/download-fedora.html[VLC Media Player for Fedora].

+ 

+ * Ask Fedora: link:https://ask.fedoraproject.org/en/question/9111/sticky-what-plugins-do-i-need-to-install-to-watch-movies-and-listen-to-music/[What plugins do I need to install to watch movies and listen to music?]

+ 

+ // * link:http://ask.fedoraproject.org/en/question/98715/install-vlc-on-fedora-25/[Install VLC on Fedora 25]

+ 

+ [id='using-GUI-to-view-log-files']

+ === Using GUI to view log files

+ 

+ To view log files in GUI, use the `GNOME Logs` application. `GNOME Logs` is not installed by default, press the `Super` key and type `Software`. In the `Search` field type `Logs` and choose the `GNOME Logs` item from the list of results and install the application.

+ 

+ In `GNOME Logs`, you can filter for time periods, search within logs, and display categories.

+ 

+ * To select a log file type, from the side bar of GNOME Logs, select the type to view.

+ * To select a time period, from the menu bar, click *Logs*, and select a time period.

+ * To search within logs, select a log file from the results pane.

+ . Click the search icon.

+ . Enter one or more search criterion in the search field.

+ [id='using-the-command-line-to-view-log-files]

+ === Using the command line to view log files

+ 

+ You can use the command line to view logs in different ways, for example:

+ 

+ * Using the *journalctl* command

+ * Using the commands for viewing, for example *cat*, *more*, *less*, *tail*, or *head*

+ * Combine the commands for viewing with the *grep* command

+ * Using a text editor, for example, `nano` or `vim`

+ 

+ [id='using-journalctl-to-view-system-information']

+ ==== Using journalctl to view  system information.

+ 

+ * To view all collected logs with no filter:

+ ----

+ $ journalctl

+ ----

+ 

+ * To view a specific log file, enter the *journalctl* command with a log filepath. The example command returns all logs of the kernel device node `/dev/sda`:

+ ----

+ $ journalctl /dev/sda

+ ----

+ 

+ * To view the boot logs, run the following command:

+ ----

+ $ journalctl -k -b -1

+ ----

+ 

+ * For more information on *journalctl*, read the man page:

+ ----

+ $ man journalctl

+ ----

+ 

+ [id='using-the-command-line-to-open-log-files-in-text-editor']

+ ==== Using the command line to open log files in a text editor

+ 

+ All log files are in plain text. To open a log file in a text editor, enter the following command:

+ ----

+ $ nano <logfilename>

+ ----

+ 

+ If the root permissions are required:

+ ----

+ $ sudo nano <logfilename>

+ ----

+ [[running-vlc]]

+ = Running VLC

+ 

+ * To run the VLC media player using GUI:

+ +

+ --

+ . Open the launcher by pressing the _Super_ key.

+ . Type _vlc_.

+ . Press _Enter_.

+ --

+ 

+ 

+ * To run VLC from the command line:

+ +

+ [subs="quotes"]

+ ----

+ $ vlc _source_

+ ----

+ +

+ Replace _source_ with path to the file to be played, URL, or other data source. For more details, see link:https://wiki.videolan.org/Documentation:Command_line/#Opening_streams[Opening streams] on VideoLAN wiki.

+ [id='Configuring-networking-with-nmcli']

+ = Configuring networking with nmcli - quick reference

+ 

+ [[networkmanager-status]]

+ == NetworkManager status

+ 

+ Display overall status of NetworkManager:

+ ----

+ $ nmcli general status

+ ----

+ 

+ Display active connections:

+ ----

+ $ nmcli connection show --active

+ ----

+ 

+ Display all configured connections:

+ ----

+ $ nmcli connection show configured

+ ----

+ 

+ [[connectdisconnect-to-an-already-configured-connection]]

+ == Connect/disconnect to an already configured connection

+ 

+ Connect to a configured connection by name:

+ ----

+ $ nmcli connection up id <connection_name>

+ ----

+ 

+ Disconnection by name:

+ ----

+ $ nmcli connection down id <connection_name>

+ ----

+ 

+ [[wi-fi]]

+ == Wi-Fi

+ 

+ Get Wi-Fi status:

+ ----

+ $ nmcli radio wifi

+ ----

+ 

+ Turn Wi-Fi on or off:

+ ----

+ $ nmcli radio wifi _on|off_

+ ----

+ 

+ List available access points (AP) to connect to:

+ ----

+ $ nmcli device wifi list

+ ----

+ 

+ Refresh the previous list:

+ ----

+ $ nmcli device wifi rescan

+ ----

+ 

+ Create a new connection to an open AP:

+ ----

+ $ nmcli device wifi connect <SSID|BSSID>

+ ----

+ 

+ Create a new connection to a password protected AP:

+ ----

+ $ nmcli device wifi connect <SSID|BSSID> password <password>

+ ----

+ 

+ 

+ == Network interfaces

+ 

+ List available devices and their status:

+ ----

+ $ nmcli device status

+ ----

+ 

+ Disconnect an interface:

+ ----

+ $ nmcli device disconnect iface <interface>

+ ----

+ 

+ [[create-or-modify-a-connection]]

+ == Create or modify a connection

+ 

+ To create a new connection using an interactive editor

+ ----

+ $ nmcli connection edit con-name <name_of_new_connection>

+ ----

+ 

+ To edit an already existing connection using an interactive editor:

+ ----

+ $ nmcli connection edit <connection_name>

+ ----

+ 

+ [[exampletutorial]]

+ === Example/Tutorial

+ 

+ Create a new connection:

+ ----

+ $ nmcli connection edit con-name _name of new connection_

+ ----

+ 

+ It asks us to define a connection type:

+ ----

+ Valid connection types: 802-3-ethernet (ethernet), 802-11-wireless (wifi), wimax, gsm, cdma, infiniband, adsl, bluetooth, vpn, 802-11-olpc-mesh (olpc-mesh), vlan, bond, team, bridge, bond-slave, team-slave, bridge-slave

+ Enter connection type:

+ ----

+ 

+ In this example, we use ethernet:

+ ----

+ Enter connection type: ethernet

+ ----

+ 

+ The following message appears, note that `nmcli>` is a prompt and that it lists the main settings available:

+ ----

+ ===| nmcli interactive connection editor |===

+ 

+ Adding a new '802-3-ethernet' connection

+ 

+ Type 'help' or '?' for available commands.

+ Type 'describe [<setting>.<prop>]' for detailed property description.

+ 

+ You may edit the following settings: connection, 802-3-ethernet (ethernet), 802-1x, ipv4, ipv6

+ nmcli>

+ ----

+ 

+ Edit the setting `ipv4`:

+ ----

+ nmcli> goto ipv4

+ ----

+ 

+ Note that after this our prompt has changed to indicate that we are currently editing the `ipv4` setting:

+ ----

+ nmcli ipv4>

+ ----

+ 

+ List available properties under the `ipv4` setting and describe the `method` property:

+ ----

+ nmcli ipv4> describe

+ 

+ Available properties: method, dns, dns-search, addresses, routes, ignore-auto-routes, ignore-auto-dns, dhcp-client-id, dhcp-send-hostname, dhcp-hostname, never-default, may-fail

+ Property name?

+ 

+ Property name? method

+ ----

+ 

+ Set property `method` to `auto`:

+ ----

+ nmcli ipv4> set method auto

+ ----

+ 

+ The `ipv4` setting is now finished. Go back to the main level. Enter the following command until the prompt looks like `nmcli>`:

+ ----

+ nmcli ipv4> back

+ ----

+ 

+ To list the main settings again, use the `goto` command without any arguments. After that, press `Enter` and ignore the error.

+ ----

+ nmcli> goto

+ 

+ Available settings: connection, 802-3-ethernet (ethernet), 802-1x, ipv4, ipv6

+ Setting name?

+ ----

+ 

+ It is possible to set a value for a property directly from the main level:

+ ----

+ nmcli> set __setting__.__property__ _value_

+ ----

+ 

+ For example:

+ ----

+ nmcli> set connection.autoconnect TRUE

+ 

+ nmcli> set connection.interface-name _interface name this connection is bound to_

+ 

+ nmcli> set ethernet.cloned-mac-address _Spoofed MAC address_

+ ----

+ 

+ Finally, check the connection details, save and exit:

+ ----

+ nmcli> print

+ 

+ nmcli> save

+ 

+ nmcli> quit

+ ----

+ 

+ [[manually-editing]]

+ === Manually editing

+ 

+ To manually edit an `ifcfg` connection configuration, open or create with a text editor the configuration file of the connection located in `/etc/sysconfig/network-scripts/ifcfg-`.

+ 

+ A description of most common configuration options is available in the link:http://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/s1-networkscripts-interfaces.html[RHEL6 Deployment Guide].

+ 

+ To modify a connection password, open with a text editor and edit the file `keys-` located in `/etc/sysconfig/network-scripts/`. The password is stored in plain text. For example:

+ ----

+ $ cat /etc/sysconfig/network-scripts/keys-__connection name__

+ WPA_PSK='password'

+ ----

+ 

+ Or, if using keyfile, simply edit the connection file located inside `/etc/NetworkManager/system-connections/`

+ 

+ Finally, save the files and to apply changes to an already active connection execute.

+ ----

+ nmcli connection up id _connection name_

+ ----

+ 

+ [[delete-a-connection-configuration]]

+ == Delete a connection configuration

+ 

+ Delete the connection:

+ ----

+ nmcli connection delete id <connection_name>

+ ----

+ Please note that this also deactivates the connection.

+ [id='prod_troubleshooting_selinux']

+ = Troubleshooting SELinux

+ 

+ This document covers the basics of troubleshooting SELinux.

+ 

+ SELinux decisions, such as allowing or disallowing access, are cached. This cache is known as the Access Vector Cache (AVC). Denial messages are logged when SELinux denies access. For example, an SELinux error generated by the Apache web server may appear as `comm="/usr/sbin/httpd"`.

+ 

+ Each error message includes information on the source context (`scontext`) of that part of your system performing an action, and the target context (`tcontext`), the target of the action. In many cases, the source is a binary and the target a file.

+ 

+ == Understanding Denials

+ When SELinux prevents any software from accessing a particular resource, for example, when *Firefox* is denied access to `/etc/shadow`, it generates a message and logs it in `/var/log/audit/audit.log` or `/var/log/messages` if *audit* service is disabled. If the log contains `avc: denied` that means it is an SELinux policy denial. Note that you would need administrator privileges (root access) on your system to be able to read this log file. An example denial would look like:

+ -----

+ type=AVC msg=audit(1214965667.121:635): avc:  denied  { unix_read unix_write } for  pid=15524 comm="npviewer.bin"

+ key=59918130 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023

+ tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s

+ -----

+ == Using the setroubleshoot utility

+ 

+ *setroubleshoot* is a utility that parses the messages from SELinux and provides comprehensive help on what it means and possible actions to take. It has both a graphical utility for your desktop and a server side component that can send email alerts. It is installed by default on Fedora. To install it on your system, use the *Software* tool in GUI or enter the following command:

+ -----

+ $ sudo dnf install setroubleshoot

+ -----

+ 

+ To start the program, run the following command:

+ -----

+ $ sealert

+ -----

+ 

+ You can find recent alerts in the browser that appears.

+ 

+ To troubleshoot an error, click the *troubleshoot* button in the SELinux Alert browser. The browser will return available options for resolving the error and commands to run to fix the problem.

+ 

+ [NOTE]

+ ====

+ Some troubleshooting events can be resolved by enabling a boolean switch policy. This will allow the activity to procede in the future, regardless of SELinux enforcing policy. It is not recommended to utilize booleans without fully understanding the issue. For more information on booleans, see the link:https://docs-old.fedoraproject.org/en-US/Fedora/25/html/SELinux_Users_and_Administrators_Guide/sect-Security-Enhanced_Linux-Working_with_SELinux-Booleans.html[Booleans] chapter in the SELinux User's and Administrator's Guide.

+ ====

+ 

+ 

+ ////

+ include::modules/con-troubleshooting-selinux-overview.adoc[leveloffset=+1]

+ 

+ include::modules/con-troubleshooting-selinux-access-is-denied.adoc[leveloffset=+2]

+ 

+ include::modules/con_troubleshooting_selinux_top_three_causes_of_problems.adoc[leveloffset=+1]

+ 

+ include::modules/con_troubleshooting_selinux_fixing_problems.adoc[leveloffset=+1]

+ 

+ include::modules/con_troubleshooting_selinux_searching_viewing_denials.adoc[leveloffset=+2]

+ 

+ include::modules/con_troubleshooting_selinux_disabling_permissive_domains.adoc[leveloffset=+2]

+ 

+ include::modules/con_troubleshooting_selinux_raw_audit_messages.adoc[leveloffset=+1]

+ 

+ include::modules/con_troubleshooting_selinux_sealert_messages.adoc[leveloffset=+2]

+ 

+ include::modules/con_troubleshooting_selinux_allowing_access_audit.adoc[leveloffset=+1]

+ 

+ include::modules/proc_troubleshooting_selinux_allowing_access_audit.adoc[leveloffset=+2]

+ ////

+ 

+ == Additional Resources

+ 

+  * link:https://docs-old.fedoraproject.org/en-US/Fedora/25/html/SELinux_Users_and_Administrators_Guide/chap-Security-Enhanced_Linux-Troubleshooting.html[Troubleshooting] in the SELinux User's and Administrator's Guide

+ 

+  * link:https://fedorapeople.org/~dwalsh/SELinux/Presentations/selinux_four_things.pdf[Four Key Causes of SELinux Errors]

+ [id='sec-Using-AIDE']

+ = Checking Integrity With *AIDE*

+ 

+ Advanced Intrusion Detection Environment (AIDE) is a utility that creates a database of files on the system, and then uses that database to ensure file integrity and detect system intrusions.

+ 

+ == Installing *AIDE*

+ 

+ . To install the _aide_ package:

+ +

+ ----

+ $ sudo dnf install aide

+ ----

+ . To generate an initial database: