Chapter 32. Security

Configurations that depend on chrooting in user-non-searchable paths now work properly

In Red Hat Enterprise Linux 7.3, the chroot process in the OpenSSH tool had been changed to help harden the SELinux system policy, and root UID was dropped before performing chroot. Consequently, existing configurations that depend on chrooting in user-non-searchable paths stopped working. With this update of the openssh packages, the change has been reverted. Additionally, the problem has been fixed in the SELinux system policy by allowing confined users to use OpenSSH chroot if the administrator enables the selinuxuser_use_ssh_chroot boolean. The described configurations now work in the same way as in Red Hat Enterprise Linux 7.2. (BZ#1418062)

firewalld now supports all ICMP types

Previously, the Internet Control Message Protocol (ICMP) type list was not complete. As a consequence, some ICMP types such as packet-too-big could not be blocked or allowed. With this update, support for additional ICMP types has been added, and the firewalld service daemon now allows to handle all ICMP types. (BZ#1401978)

docker.pp replaced with container.pp in selinux-policy

Prior to this update, the container.te file in the container-selinux package contained Docker interfaces, which point to the equivalent container interfaces, and also the docker.if file. Consequently, when compiling the container.te file, the compiler warned about duplicate interfaces. With this update, the docker.pp file in the selinux-policy package has been replaced with the container.pp file, and the warning no longer occurs in the described scenario. (BZ#1386916)

Recently-added kernel classes and permission defined in selinux-policy

Previously, several new classes and permissions had been added to the kernel. As a consequence, these classes and permissions that were not defined in the system policy caused SELinux denials or warnings. With this update, all recently-added kernel classes and permissions have been defined in the selinux-policy package, and the denials and warnings no longer occur. (BZ#1368057)

nss now properly handles PKCS#12 files

Previously, when using the pk12util tool to list certificates in a PKCS#12 file with strong ciphers using PKCS#5 v2.0 format, there was no output. Additionally, when using pk12util to list certificates in a PKCS#12 file with the SHA-2 Message Authentication Code (MAC), a MAC error was reported, but no certificates were printed. With this update, importing and exporting PKCS#12 files has been changed to be compatible with the OpenSSL handling, and PKCS#12 files are now processed properly in the described scenarios. (BZ#1220573)

OpenSCAP now produces only useful messages and warnings

Previously, default scan output settings have been changed, and debug messages were also printed to standard output. As a consequence, the OpenSCAP output was full of errors and warnings. The output was hard to read and the SCAP Workbench was unable to handle those messages, too. With this update, the change of default output setting has been reverted, and OpenSCAP now produces useful output. (BZ#1447341)

AIDE now logs in the syslog format

With this update, the AIDE detection system with the syslog_format option logs in the rsyslog-compatible format. Multiline logs cause problems while parsing on the remote rsyslog server. With the new syslog_format option, AIDE is now able to log with every change logged as a single line. (BZ#1377215)

Installations with the OpenSCAP security-hardening profile now proceed

Prior to this update, typos in the scap-security-guide package caused the Anaconda installation program to exit and restart a machine. Consequently, it was not possible to select any of the security-hardened profiles such as Criminal Justice Information Services (CJIS) during the Red Hat Enterprise Linux 7.4 installation process. The typos have been fixed, and installations with the OpenSCAP security-hardening profile now proceed. (BZ#1450731)

OpenSCAP and SSG are now able to scan RHV-H systems correctly

Previously, using the OpenSCAP and SCAP Security Guide (SSG) tools to scan a Red Hat Enterprise Linux system working as a Red Hat Virtualization Host (RHV-H) returned Not Applicable results. With this update, OpenSCAP and SSG correctly identify RHV-H as Red Hat Enterprise Linux, which enables OpenSCAP and SSG to scan RHV-H systems properly. (BZ#1420038)

OpenSCAP now handles also uncompressed XML files in a CVE OVAL feed

Previously, the OpenSCAP tool was able to handle only compressed CVE OVAL files from a feed. As a consequence, the CVE OVAL feed provided by Red Hat cannot be used as a base for vulnerability scanning. With this update, OpenSCAP supports not only ZIP and BZIP2 files but also uncompressed XML files in a CVE OVAL feed, and the CVE OVAL-based scanning works properly without additional steps. (BZ#1440192)