Chapter 53. Compiler and Tools

Performance of regular expressions cannot be boosted with the JIT technique if executable stack is disabled

When the SELinux module policy disallows executable stack, the PCRE library cannot use JIT compilation to speed up regular expressions. As a result, attempting JIT compilation for regular expressions is ignored and their performance is not boosted.
To work around this problem, amend the SELinux policy with a rule for enabling the execmem action on affected SELinux domains to enable JIT compilation. Some of the rules are already provided and can be enabled by specific SELinux booleans. To list these booleans, see the output of the following command:
getsebool -a | grep execmem
An alternative workaround is changing application code to not request JIT compilation with calls to the pcre_study() function. (BZ#1290432)

Installations with the OpenSCAP security-hardening profile now proceed

Prior to this update, typos in the scap-security-guide package caused the Anaconda installation program to restart. Consequently, it was not possible to select any of the security-hardened profiles such as Criminal Justice Information Services (CJIS) during the Red Hat Enterprise Linux 7.4 installation process. The typos have been fixed, and installations with the OpenSCAP security-hardening profile now proceed. (BZ#1450731)