RHEL-Fedora: Fedora and RHEL-Family Administration
Administer Fedora, RHEL, Rocky Linux, AlmaLinux, Oracle Linux, Amazon Linux, and nearby RPM-family systems without flattening their important differences. Start by separating the fast-moving Fedora lane from the conservative enterprise lane, then account for vendor quirks such as subscription-manager, CentOS Stream drift, Oracle UEK, Amazon's cloud-first defaults, and SELinux or firewalld behavior that people love to blame on the wrong layer.
Versions worth pinning (verified May 2026):
Only pin versions here when they materially affect compatibility or troubleshooting shape. For ordinary package work, prefer the live distro lane and repo state over a stale package table.
| Component | Version | Why it matters |
|---|---|---|
| Fedora stable | 44 / verify live | current mainstream baseline (Fedora ships ~every 6 months and EOLs ~13 months, faster than this table is bumped - confirm live) |
| Fedora next branch | 45 / verify live | useful when a bug is really Fedora-next behavior |
| RHEL enterprise lane | 10.x | current enterprise baseline in the new major lane |
| RHEL previous major | 9.x | still widely deployed and behaviorally different from 10 |
| Rocky Linux | verify live major lane | close to RHEL, but current docs and vault state still matter |
| AlmaLinux | verify live major lane | close to RHEL, but current release notes and policy docs still matter |
| Oracle Linux | verify live major lane | current Oracle lane matters, but UEK vs RHCK matters more |
| Amazon Linux | AL2023 / verify live release | release-note lane matters more than memorizing one point version |
| SELinux | verify live | policy package and mode matter more than memorized version strings |
| DNF | verify live | Fedora moves faster than enterprise lanes; DNF 5 vs legacy expectations matter |
| Podman | verify live | rootless and quadlet behavior depend on the shipped distro lane |
| Kernel security | verify live via RHSA/FEDORA tracker | patch high-severity privesc CVEs promptly; mid-2026 examples to confirm fixed: Copy Fail CVE-2026-31431 (CISA KEV, exploited), Dirty Frag CVE-2026-43284/43500, Fragnesia CVE-2026-46300 (ESP-in-TCP, exploited), ptrace CVE-2026-46333 |
When to use
- Package management with
dnf,yum,rpm, local.rpmfiles, repo configuration, or package provenance - Fedora repo, COPR, updates-testing, modularity, and release-upgrade work
- RHEL subscription, entitlement, CodeReady Builder, Insights, EPEL, and clone compatibility questions
- systemd service, timer, boot, and journal troubleshooting on Fedora or RHEL-family systems
- GRUB, EFI,
dracut, initramfs, kernel,grubby, and boot recovery work - Release maintenance: Fedora
dnf system-upgrade, RHEL-family major or minor transitions,leappplanning - Security plumbing: SELinux modes, contexts, booleans, AVC denials,
firewalld, FIPS-adjacent checks, package signing - Container-host work that is really host-admin work: Podman packages, rootless prerequisites, cgroup or SELinux host integration
- Desktop stack on Fedora Workstation or similar: Wayland vs X11, GNOME, KDE, portals, PipeWire, Bluetooth
- Session startup and laptop work: GDM, SDDM, suspend or resume, power profiles, hybrid graphics
- GPU and gaming work: NVIDIA akmods or DKMS, Mesa, Vulkan, Steam, Proton, Gamescope, MangoHud
- Capture and communication: OBS, WebRTC screen sharing, Discord or Teams, portals, virtual cameras
- Storage: XFS, ext4, Btrfs, LUKS, LVM, Stratis, TRIM, hibernation
- Firmware and hardware enablement:
fwupdmgr, vendor firmware tools, microcode,mokutil, Secure Boot - Cloud-image and VM defaults on Amazon Linux, RHEL cloud images, Rocky, Alma, and Oracle Linux guests
- Base Linux ops on RPM-family systems:
journalctl,dmesg,lsblk,grubby,rpm -Va,restorecon
When NOT to use
- Shell syntax, quoting, or script portability - use command-prompt
- Network architecture, DNS, VPNs, reverse proxies, or firewall design - use networking
- Dockerfiles, Compose files, image builds, or container runtime architecture - use docker
- Kubernetes cluster or manifest work - use kubernetes
- Fleet-wide Linux configuration via playbooks - use ansible
- Security review, vulnerability triage, or offensive testing - use security-audit or lockpick
- Arch, CachyOS, or other pacman-family systems - use arch-btw
- Debian, Ubuntu, Mint, Pop!_OS, or other apt-family systems - use debian-ubuntu
- Fedora Silverblue, Kinoite, Bazzite, Bluefin, Universal Blue, CoreOS, bootc, or other rpm-ostree / image-mode workflows - outside this skill; do not treat them like ordinary dnf-managed hosts
- OPNsense or pfSense appliance work - use firewall-appliance
AI Self-Check
Before returning Fedora or RHEL-family commands, verify:
- Distro lane identified: Fedora, CentOS Stream, RHEL, Rocky, AlmaLinux, Oracle Linux, Amazon Linux, or another derivative. Advice diverges fast.
- Release lane identified: Fedora stable vs Rawhide/Branched, RHEL 8 vs 9 vs 10, AL2023 vs old Amazon Linux 2, Oracle Linux with RHCK vs UEK.
- Package path identified:
dnf, legacyyum, plainrpm, ormicrodnf. If the host is rpm-ostree or image-mode, stop and route away instead of treating it like a normal DNF-managed host. - Repo provenance understood: base repos, EPEL, CRB/PowerTools/CodeReady Builder, COPR, vendor repos, and third-party release RPMs are not interchangeable.
- Fedora speed respected: Fedora guidance that is fine on 42 can be stale or wrong on Rawhide and too new for enterprise clones.
- Enterprise conservatism respected: do not blindly transplant Fedora COPR, raw upstream kernels, or random GitHub RPM repos onto production RHEL-family hosts.
- SELinux considered early: if the symptom smells like permission, bind mount, custom service, rootless container, or web app weirdness, check AVCs before disabling SELinux.
- SELinux fix is correct: distinguish labeling (
restorecon,semanage fcontext) from booleans (setsebool) and custom policy (audit2allow). Do not cargo-cultsetenforce 0. - firewalld scope is correct: runtime vs permanent rules, active zone, interface binding, and rich rules are understood before changing exposure.
- Boot stack identified: GRUB, EFI mountpoint, kernel package,
dracut, Secure Boot state, andgrubbypath are known before changing boot files. - Fallback path exists: do not remove the only known-good kernel or boot entry on a remote system.
- Vendor kernel path identified: Oracle UEK vs RHCK, Amazon kernel choices, and NVIDIA akmods/DKMS expectations matter.
- Subscription state known: on RHEL, entitlement and repo enablement may be the real problem, not package naming.
- Module streams handled consciously: if AppStream or module streams are involved, verify the active stream before suggesting installs, resets, or downgrades.
- Desktop stack is coherent: compositor, portal backend, PipeWire, session type, and user services line up.
- Gaming stack includes 32-bit userspace when needed: Steam and Proton failures often come from missing multilib graphics pieces, not the game itself.
- Capture stack is coherent: portal backend, PipeWire, WebRTC or Electron path, and any virtual camera module line up with the current session type.
- Cloud-image assumptions are checked: Amazon Linux, cloud-init images, and minimal RHEL images omit tools you might expect on a full install.
- Upgrade path is real: Fedora
dnf system-upgrade, RHELleapp, and clone major-version jumps have different support stories. Do not improvise an in-place major upgrade path. - Diagnostic errors are not silenced: do not hide useful failure output with
2>/dev/nullon commands whose errors matter. Use2>&1 || truewhen gathering. - [ ]