Chapter 33. Security

When firewalld starts, net.netfilter.nf_conntrack_max is no longer reset to default if its configuration exists

Previously, firewalld reset the nf_conntrack settings to their default values when it was started or restarted. As a consequence, the net.netfilter.nf_conntrack_max setting was restored to its default value. With this update, each time firewalld starts, it reloads nf_conntrack sysctls as they are configured in /etc/sysctl.conf and /etc/sysctl.d. As a result, net.netfilter.nf_conntrack_max maintains the user-configured value. (BZ#1462977)

Tomcat can now be started using tomcat-jsvc with SELinux in enforcing mode

In Red Hat Enterprise Linux 7.4, the tomcat_t unconfined domain was not correctly defined in the SELinux policy. Consequently, the Tomcat server cannot be started by the tomcat-jsvc service with SELinux in enforcing mode. This update allows the tomcat_t domain to use the dac_override, setuid, and kill capability rules. As a result, Tomcat is now able to start through tomcat-jsvc with SELinux in enforcing mode. (BZ#1470735)

SELinux now allows vdsm to communicate with lldpad

Prior to this update, SELinux in enforcing mode denied the vdsm daemon to access lldpad information. Consequently, vdsm was not able to work correctly. With this update, a rule to allow a virtd_t domain to send data to a lldpad_t domain through the dgram socket has been added to the selinux-policy packages. As a result, vdsm labeled as virtd_t can now communicate with lldpad labeled as lldpad_t if SELinux is set to enforcing mode. (BZ#1472722)

OpenSSH servers without Privilege Separation no longer crash

Prior to this update, a pointer had been dereferenced before its validity was checked. Consequently, OpenSSH servers with the Privilege Separation option turned off crashed during the session cleanup. With this update, pointers are checked properly, and OpenSSH servers no longer crash while running without Privilege Separation due the described bug.
Note that disabling OpenSSH Privilege Separation is not recommended. (BZ#1488083)

The clevis luks bind command no longer fails with the DISA STIG-compliant password policy

Previously, passwords generated as part of the clevis luks bind command were not compliant with the Defense Information Systems Agency Security Technical Implementation Guide (DISA STIG) password policy set in the pwquality.conf file. Consequently, clevis luks bind failed on DISA STIG-compliant systems in certain cases. With this update, passwords are generated using a utility designed to generate random passwords that pass the password policy, and clevis luks bind now succeeds in the described scenario. (BZ#1500975)

WinSCP 5.10 now works properly with OpenSSH

Previously, OpenSSH incorrectly recognized WinSCP version 5.10 as older version 5.1. As a consequence, the compatibility bits for WinSCP version 5.1 were enabled for WinSCP 5.10, and the newer version did not work properly with OpenSSH. With this update, the version selectors have been fixed, and WinSCP 5.10 now works properly with OpenSSH servers. (BZ#1496808)

SFTP no longer allows to create zero-length files in read-only mode

Prior to this update, the process_open function in the OpenSSH SFTP server did not properly prevent write operations in read-only mode. Consequently, attackers were allowed to create zero-length files. With this update, the function has been fixed, and the SFTP server no longer allows any file creation in read-only mode. (BZ#1517226)