Chapter 62. Security

certutil does not return the NSS database password requirements in FIPS mode

When creating a new Network Security Services (NSS) database with the certutil tool, the user has nowhere to find out what the database password requirements are when running in FIPS mode. The prompt message does not provide password requirements, and certutil returns only a generic error message:
certutil: could not authenticate to token NSS FIPS 140-2 Certificate DB.: SEC_ERROR_IO: An I/O error occurred during security authorization.

systemd-importd runs as init_t

The systemd-importd service is using the NoNewPrivileges security flag in the systemd unit file. This blocks the SELinux domain transition from the init_t to systemd_importd_t domain. (BZ#1365944)

The SCAP password length requirement is ignored in the kickstart installation

The interactive kickstart installation does not enforce the password length check defined by the SCAP rule and accepts shorter root passwords. To work around this problem, use the --strict option with the pwpolicy root command in the kickstart file. (BZ#1372791) is writable by group and others

In Red Hat Enterprise Linux 7.4, the default permissions of the /var/run/ file are set to -rw-rw-rw-.. This setting is not secure. To work around this problem, change the permissions of this file to be writable only by the owner:
# chmod go-w /var/run/