Chapter 55. Compiler and Tools

Performance of regular expressions cannot be boosted with the JIT technique if executable stack is disabled

When the SELinux policy disallows executable stack, the PCRE library cannot use JIT compilation to speed up regular expressions. As a result, attempting JIT compilation for regular expressions is ignored and their performance is not boosted.
To work around this problem, amend the SELinux policy with a rule for enabling the execmem action on affected SELinux domains to enable JIT compilation. Some of the rules are already provided and can be enabled by specific SELinux booleans. To list these booleans, see the output of the following command:
getsebool -a | grep execmem
An alternative workaround is changing application code to not request JIT compilation with calls to the pcre_study() function. (BZ#1290432)

Memory leaks occur when certain applications fail to exit after unloading the Gluster libraries

Gluster consists of many internal components and different translators that implement functions and features. The gfapi access method was added to integrate Gluster tightly with applications. However, not all components and translators are designed to be unloaded in running applications. As a consequence, programs that do not exit after unloading the Gluster libraries are unable to release some of the memory allocations that are performed internally by Gluster.
To reduce the amount of memory leaks, prevent applications from calling the glfs_init() and glfs_fini() functions whenever possible. To release the leaked memory, you must restart long-running applications. (BZ#1409773)

URL to DISA SRGs is incorrect

The SCAP Security Guide (SSG) rules refer to Defense Information Systems Agency Security Requirement Guides (DISA SRGs). Connecting to the URL fails with an 404 - not found error. As a consequence, users have no direct reference to SRGs. To work around the problem, use the new URL: http://iase.disa.mil/stig/os/general/Pages/index.aspx/ (BZ#1464899)

The ensure_gpgcheck_repo_metadata rule fails

During remediation of the ensure_gpgcheck_repo_metadata rule, certain profiles update the yum.conf file to enable the repo_gpgcheck option. Red Hat does not currently provide signed repository metadata. As a consequence, the yum utility is no longer able to install any package from official repositories. To work around the problem, use a tailoring file to remove ensure_gpgcheck_repo_metadata from the profile. If remediation already breaks the system, update yum.conf and set repo_gpgcheck to 0. (BZ#1465677)

The SSG pam_faillock module utilization check incorrectly accepts default=die

The SCAP Security Guide (SSG) pam_faillock module utilization check incorrectly accepts the default=die option. Consequently, when a user authentication using the pam_unix module fails, the pam stack evaluation stops immediately without incrementing the counter of pam_faillock. To work around this problem, do not use default=die before the authfail option. This ensures that the pam_faillock counter is incremented properly. (BZ#1448952)