Chapter 6. Notable Bug Fixes

This chapter describes bugs fixed in Red Hat Enterprise Linux 7.7 that have a significant impact on users.

6.1. Authentication and Interoperability

Directory Server flushes the entry cache after a back end transaction plug-in failed

Previously, if a back end transaction plug-in failed, Directory Server rolled-back the operation, but did not revert the changes in the entry cache. As a consequence, the entry cache contained incorrect entries. With this update, Directory Server flushes the entry cache after a back end transaction plug-in failed. As a result, clients retrieve the correct data when querying the database in the mentioned situation.

(BZ#1417340)

The ds-replcheck utility no longer incorrectly reports non-matching tombstone entries on replicas

Previously, if an administrator ran the ds-replcheck utility on different Directory Server replicas with tombstones present, ds-replcheck reported that one of the replicas was missing the tombstone entries. It is expected that tombstone entries do not match on each replica. With this update, ds-replcheck no longer searches for tombstone entries. As a result, the utility does not report missing tombstone entries as a problem.

(BZ#1629055)

Directory Server no longer crashes when shutting down the service while a cleanAllRUV task is running

Previously, stopping the Directory Server service while a cleanAllRUV task was running freed resources the task was using. As a consequence, the service terminated unexpectedly. With this update, Directory Server increments a reference counter that enables the task to complete before the service shutdown process proceeds. As a result, the server no longer crashes in the mentioned scenario.

(BZ#1466441)

Directory Server now correctly rejects the current password if passwordInHistory is set to 0

Previously, administrators could not set the passwordInHistory attribute in Directory Server to 0. As a consequence, Users could reset their password to the same password as they currently use. With this update, users can now set passwordInHistory to 0 and, as a result, to check the current password.

(BZ#1563999)

Directory Server no longer truncates nsSSL3Ciphers values longer than 1023 characters

Previously, Directory Server used a fixed buffer size to store the preferred TLS ciphers set in the nsSSL3Ciphers parameter in the cn=encryption,cn=config entry. As a consequence, if the value was longer than 1024 characters, the server truncated the value and used only ciphers specified in the first 1023 characters. With this fix, Directory Server no longer uses a fixed buffer size to store the value. As a result, the setting works as expected.

(BZ#1716267)

Directory Server no longer uses the CoS attribute with a higher priority than the real attribute

Previously, Directory Server used the operational-default Class of Service (CoS) attribute with a higher priority than the real attribute. As a consequence, the server overwrote the attribute set in a local password with the CoS policy defined in a subtree. This update fixes the problem. As a result, CoS-defined password policies work as expected.

(BZ#1652984)

Directory Server now updates the pwdLastSet field of a user on password changes

Previously, if password synchronization was enabled and a user changed a password in Directory Server, the server did not set the pwdLastSet attribute. As a consequence, Active Directory (AD) still forced the user to update the password. Directory Server now updates pwdLastSet in the mentioned scenario. As a result. AD does not force the user to change the password again.

(BZ#1597202)

Searches with scope one no longer return incomplete results in Directory Server

Previously, when a user performed a search with a scope set to one, the search operation did not return all expected entries. With this update, Directory Server correctly creates the entry candidates list for one level searches. As a result, the server returns the expected entries.

(BZ#1665752)

Directory Server no longer ignores IPv6 addresses in an ACI if both IPv6 and IPv4 addresses are used

Administrators can specify both IPv4 and IPv6 addresses in Access Control Instructions (ACI) to allow or deny access. Previously, if an ACI contained both IPv4 and IPv6 addresses, Directory Server ignored the IPv6 address. As a consequence, the ACI did not work as expected. This update fixes the parsing of the ip keyword in ACIs. As a result, IP-based ACIs work as expected in the mentioned scenario.

(BZ#1710848)

Replicating modrdn operations to read-only Directory Server now succeeds

The conflict entry management in Directory Server requires to add tracking entries for modrdn operations. Previously, adding these entries failed on read-only consumers and, as a consequence, modrdn operations could not be replicated to such instances. This update fixes the problem. As a result, replicating modrdn operations to read-only consumers succeeds.

(BZ#1602001)

The time after which Directory Server deletes tasks has been changed

Previously, Directory Server deleted task entries 2 minutes after a task finished. As a consequence, applications that were monitoring the task could miss the task result. This update changes the time after which the server deletes tasks. By default, all completed tasks are now deleted after 1 hour, except import and export tasks, which are deleted 24 hours after completion.

(BZ#1663829)

Directory Server did not return the shadowWarning attribute if passwordWarning was set lower than 86400

Previously, Directory Server did not return the shadowWarning attribute in searches if the passwordWarning attribute in the cn=config entry was set to a value lower than 86400 seconds (1 day). This update fixes the problem. As a result, the server returns the value of the shadowWarning attribute in the mentioned scenario.

(BZ#1589144)

krb5 memory caches are now thread-safe

Previously, the memory caches of the Kerberos V5 login program (krb5) were not completely thread-safe. As a consequence, multi-threaded access terminated unexpectedly in some cases. With this update, the memory caches are cleaned up to be more thread-safe. As a result, no more crashes occur.

(BZ#1605756)

krb5 configurations prohibited by FIPS 140-2 can now work again

Previously, Red Hat Enterprise Linux 7.6 build of the Kerberos V5 (krb5) system increased compliance with FIPS 140-2. As a consequence, certain previously permitted configurations that were prohibited by FIPS 140-2 stopped working. With this update, the changes have been reverted, because krb5 only requires to work in FIPS mode, not be FIPS-compliant. As a result, configurations prohibited by FIPS 140-2 can now work again.

Note that Red Hat Enterprise Linux 8 does not support these configurations at the moment.

(BZ#1645711)

Certificate System starts even if the value in the numSubordinates attribute exceeds the number of profile entries

The LDAP numSubordinates operational attribute defines the expected number of profile entries. Previously, Certificate System did not start until all profiles and lightweight Certificate Authorities (CA) were loaded. As a consequence, if the value in the attribute exceeds the number of profile entries the start process did not complete. With this update, a watchdog timer forces the start process to proceed after a short delay in the mentioned scenario and Certificate System logs the unexpected condition. As a result, the Certificate System starts completes even when numSubordinates in the profiles or lightweight CA subtrees exceeds the number of entries in the search result.

(BZ#1638379)

TLS_RSA_* ciphers are now disabled by default in Certificate System

Previously, by default, TLS_RSA_* ciphers were enabled in Certificate System. However, in environments with certain hardware security modules (HSM) in Federal Information Processing Standard (FIPS) mode, these ciphers are not supported. As a consequence, the SSL handshake failed and the connection was not established. This update disables TLS_RSA_* ciphers by default. As a result, connections work with those HSMs in FIPS mode.

(BZ#1578389)

The Certificate System REST API no longer stores clear text passwords in log files

Previously, the Certificate System REST API did not filter out plain password values. As a consequence, passwords were visible in clear text in log files. With this update, the server replaces password attribute values with "(sensitive)". As a result, clear text passwords are no longer visible in logs.

(BZ#1617894)

Client authentication can now be disabled in Certificate System

A previous version of Certificate System added a feature to enforce TLS client authentication when authenticating through CMCAuth. However, certain older applications do not support TLS client authentication and failed to connect to Certificate System. This update adds the bypassClientAuth configuration parameter to the /var/lib/pki/pki-instance_name/ca/conf/CS.cfg file. As a result, administrators can now set this parameter to true to disable client authentication if not supported by certain applications.

(BZ#1628410)

Certificate System CA installations succeed when using a PKCS #12 file

Previously, the default value of the pki_ca_signing_cert_path parameter was set to a predefined path. Due to a recent change in the way the pkispawn utility validates the parameter when an administrator used a PKCS #12 file to install a certificate authority (CA), the installation failed with an Invalid certificate path: pki_ca_signing_cert_path=/etc/pki/pki-tomcat/external_ca.cert error. This update fixes the problem by removing the default value of pki_ca_signing_cert_path. As a result, the CA installation succeeds in the mentioned scenario.

(BZ#1633761)

The pki utility correctly asks for a password

Previously, if the user did not provide a password using command-line options, the pki utility did not prompt for a password. As a consequence, pki incorrectly reported Error: Missing user password and the operation failed. The pki utility has been fixed to prompt for a password under the described circumstances.

(BZ#1479559)

Certificate System automatically shuts down if signed audit logs cannot be stored due to a full file system

Previously, if audit signing was enabled and the file system on which Certificate System stored the signed audit logs was full, Certificate System continued operating but did not log further operations. To prevent missing signed audit logs, Certificate System now shuts down automatically in the mentioned scenario.

(BZ#1639710)

SSSD uses the AD LDAP server to retrieve POSIX attributes for initgroup lookups

The SSSD service uses the Active Directory (AD) global catalog (GC) for initgroup lookups, but the POSIX attributes, such as the user home directory or shell, are not replicated to the GC set by default. Consequently, when SSSD requests the POSIX attributes during SSSD lookups, SSSD incorrectly considers the attributes to be removed from the server, because they are not present in the GC, and removes them from the SSSD cache as well. With this update, initgroup lookups now switch between LDAP and GC connection as appropriate, because the AD LDAP server contains the POSIX attributes even without schema modification. As a result, POSIX attributes, such as shell or home directory, are no longer overwritten or missing.

(BZ#1194345)

Changing the shell with ypchsh no longer results in an overwritten password when NIS uses passwd.adjunct

Previously, when the NIS server was set up to support the passwd.adjunct map and the user changed the shell on a NIS client by using the ypchsh command, the yppasswdd daemon overwrote the user’s password hash inside passwd.adjunct with the ##username string. Consequently, the affected user was unable to log in due to a corrupted password hash. This bug has been fixed, and yppasswdd no longer overwrites the user’s password hash while updating the user’s shell information. As a result, the user can successfully log in the new shell after running ypchsh.

(BZ#1624295)

6.2. Compiler and Tools

The SystemTap Dyninst backend works without the dyninst-devel package

The stap --dyninst command uses the SystemTap Dyninst backend. Previously, this backend did not work when the dyninst-devel package was not installed. As a consequence, SystemTap terminated unexpectedly, and users had to manually install dyninst-devel and run the ldconfig tool as a workaround. This bug has been fixed and the SystemTap Dyninst backend now works without the dyninst-devel package.

(BZ#1498558)

GDB breakpoint default source file works for symbolic links

Previously, the GDB debugger could not locate the symbol table information for the default source file, if the file was a symbolic link. As a consequence, users could not set breakpoints by omitting the source file name and using the default, such as break 63. This bug has been fixed and users can now use default source files with breakpoints for files behind symbolic links.

(BZ#1639077)

The DNS stub resolver in glibc no longer rejects valid host names, such as hostname-.example.com

The DNS stub resolver in glibc rejected certain valid host names, such as hostname-.example.com, and accepted some invalid names. As a consequence, some host names on the Internet could not be resolved. To fix the problem, the DNS name validation functions, such as res hnok, have been adjusted to match user expectations and specifications more closely. As a result, host names of the form hostname-.example.com can now be resolved successfully if they exist in DNS.

(BZ#1039304)

iconv no longer hangs when converting from certain IBM character sets

Previously, the glibc converters for the IBM930, IBM933, IBM935, IBM937, and IBM393 character sets returned an error and failed to advance to the next input character when they encountered invalid redundant shift sequences. As a consequence, converting from these character sets using the iconv tool with the -c option to discard these characters made the tool unresponsive, because it could not progress beyond the first occurence of a redundant shift sequence. The converters have been modified to accept these sequences and continue correctly. As a result, the conversions mentioned above are now possible.

(BZ#1427734)

iconv can convert between the IBM273 and ISO-8859-1 character sets

Previously, the glibc implementation of the IBM273 character set was not equivalent to the ISO-8859-1 character set. It did not have a representation for the Unicode character MACRON, instead it used the corresponding byte to represent the OVERLINE Unicode character, which has the same visual representation as a MACRON. As a consequence, using the iconv tool provided by glibc to convert IBM273 text containing an OVERLINE character to ISO-8859-1 or ISO-8859-1 text containing a MACRON character to IBM273 resulted in an error during conversion. To fix this bug, the IBM273 character set was made equivalent to the ISO-8859-1 character set by replacing its OVERLINE representation with MACRON. As a result, both character sets now use the MACRON Unicode character, are equivalent, and conversion from one to the other does not lead to an error.

(BZ#1591268)

getifaddrs calls can no longer unexpectedly terminate applications

Previously, the network interface list produced by the getifaddrs function in the glibc library could lack interface names if the interfaces changed in the kernel at the same time. As a consequence, applications using getifaddrs could terminate unexpectedly in such situation. This has been fixed and getifaddrs now ensures the list is identical to kernel state. As a result, the unexpected termination mentioned above cannot happen.

(BZ#1472832)

Makefiles containing explicit targets before implicit work again

Previously, mixing implicit (pattern) and explicit targets in Makefiles was deprecated. After update to version 3.82, the make build tool returned errors for mixed targets. As a consequence, legacy Makefiles containing mixed targets could not be used. With this update, make can correctly parse situations where an explicit target is listed before an implicit target. As a result, certain legacy Makefiles can now be used again without modification. However, implicit targets before explicit targets still result in an error.

Note that mixing explicit and implicit targets in Makefiles is deprecated and should not be added to new Makefiles.

(BZ#1582545)

PCP now reports all process details on large systems

Previously, the Performance Co-Pilot (PCP) toolkit failed to report certain process details in some cases on very large systems. The code reading the process details files was changed so that it can read data of arbitrary length, instead of only the first 1024 bytes. As a result, the described PCP error can no longer happen.

(BZ#1600262)

strip no longer crashes with certain executable files

Previously, the strip tool contained untrue assumptions about executable file structure. As a consequence, attempting to strip certain executable files could unexpectedly terminate strip. The assumptions about structure have been changed such that this problem can no longer happen and strip works correctly.

(BZ#1644632)

Optimized CPU consumption by libdb

A previous update to the libdb database caused an excessive CPU consumption in the trickle thread. With this update, the CPU usage has been optimized.

(BZ#1608749)

passwd --stdin no longer limits the password length to 79 characters

When changing a password using the passwd command with the --stdin option, the length of the password was limited to 79 characters. Consequently, when you entered a password longer than 79 characters via standard input, only the first 79 characters were accepted, and no warning was shown. With this update, passwd has been fixed to align the accepted size of the password with size defined by Pluggable Authentication Module (PAM). As a result, the passwd --stdin command now accepts passwords longer than 79 characters, but not longer than PAM_MAX_RESP_SIZE - 1 characters. If that limit is exceeded, passwd reports an error to the standard error output, and exits with exit code 1.

(BZ#1276570)

fixfiles no longer incorrectly fails

Previously, the fixfiles script failed if the /etc/selinux/fixfiles_exclude_dirs file contained at least one entry and the /etc/selinux/targeted/contexts/files/file_contexts.local file was not present. With this update, the requirement for existence of /etc/selinux/targeted/contexts/files/file_contexts.local has been removed, and fixfiles now works correctly in the described scenario.

(BZ#1647714)

6.3. Desktop

System no longer boots to a blank screen when Xinerama is enabled

When the Xinerama extension was enabled in /etc/X11/xorg.conf on a system using the nvidia or nouveau driver, the RANDR X extension got disabled. Consequently, login screen failed to start upon boot due to the RANDR X extension being disabled. This bug has been fixed and the login screen now starts properly even with Xinerama enabled.

(BZ#1579257)

Soft lock-ups fixed during boot in the kernel with i915

On a rare occasion when a GM45 system had an improper firmware configuration, an incorrect DisplayPort hot-plug signal could cause the i915 driver to be overloaded on boot. Consequently, certain GM45 systems experienced very slow boot times while the video driver attempted to work around the problem. In some cases, the kernel also reported soft lock-ups. This bug has been fixed and the lock-ups no longer occur in the described scenario.

(BZ#1608704)

X.org server no longer crashes during fast user switching

Previously, the X.Org X11 qxl video driver did not emulate the leaving virtual terminal event on shutdown. Consequently, the X.Org display server terminated unexpectedly during fast user switching, and the current user session was terminated when switching a user. With this update, qxl has been fixed, and the X.org server no longer crashes during fast user switching.

(BZ#1640918)

6.4. File Systems

Non-root users can now access SMB shares mounted using the multiuser option

In Red Hat Enterprise Linux (RHEL) 7.5, a fix was added to handle NT LAN Manager (NTLM) authentication when no domain was specified. This change affected how the cifs.ko kernel module selected the domain name when using NTLM. As a consequence, when a server message block (SMB) share was mounted with the multiuser option, an incorrect domain name was selected and non-root users failed to access the mounted SMB share. This update reverts the fix. As a result, shares mounted with multiuser can now be accessed by non-root users in RHEL 7.7.

(BZ#1710421)

Setting disk quota limits over a network works again for users occupying more than 4 GB of space on the network file system

Previously, the setquota utility was unable to handle an occupied space greater than 4 GB when communicating with an NFS server due to an incorrect format of the used disk size. Consequently, when setting disk quota limits for a user exceeding 4 GB of used space on a NFS-mounted file system, setquota failed to perform the operation. This update corrects the conversion of the used disk size to an RPC protocol format, and the described problem no longer occurs.

(BZ#1697605)

6.5. Installation and Booting

NVDIMM commands are added to the Kickstart script file anaconda-ks.cfg after installation

The installer creates a Kickstart script equivalent to the configuration used for system installation. This script is stored in the /root/anaconda-ks.cfg file. Previously, when the graphical user interface was used to install RHEL, the nvdimm commands used for configuring Non-Volatile Dual In-line Memory (NVDIMM) devices were not added to this file. This bug has been fixed and the Kickstart file now contains the nvdimm commands as expected.

(BZ#1620109)

The graphical installation program no longer permits an invalid passphrase

Previously, when installing RHEL 7 using the graphical installation program, it was possible to leave the passphrase field in the Partitioning Disk Encryption Passphrase dialog box empty, click the Save Passphrase button, and finish your partitioning tasks. As a consequence, partitioning was misconfigured and you had to cancel the disk encryption process or enter a valid passphrase. With this update, the Save Passphrase button is available only when you enter a valid and non-empty passphrase.

(BZ#1489713)

Using the version or inst.version kernel boot parameters no longer stops the installation program

Previously, booting the installation program from the kernel command line using the version or inst.version boot parameters printed the version, for example anaconda 30.25.6, and stopped the installation program.

With this update, the version and inst.version parameters are ignored when the installation program is booted from the kernel command line, and as a result, the installation program is not stopped.

(BZ#1637112)

The RHEL 7.7 graphical installation now displays supported NVDIMM device sector sizes

Previously, when configuring NVDIMM devices using the graphical user interface (GUI), it was possible to enter an unsupported sector size. No warning message was displayed, and as a consequence, a reconfiguration error occurred. With this update, the sector size dialog box contains a drop-down list that displays only the supported sector sizes of 512 and 4096.

(BZ#1614049)

Cancelling a job initiated from cockpit-composer no longer fails

Image build process did not support cancelling an image build. As a consequence, cancelling a job initiated from cockpit-composer GUI using composer-cli compose cancel resulted in a hung compose API server, causing newly queued job builds to not start, and remain in waiting state. To fix the problem, a feature to cancel the Image build process was implemented. As a result, cancelling a job initiated from cockpit-composer no longer fails.

(BZ#1659129)

The rpm command now supports the --setcaps and --restore options

This update introduces the --setcaps and --restore options for the rpm command.

The --setcaps option sets capabilities of files in a required package. The syntax is as follows:

rpm --setcaps _PACKAGE_NAME_

The --restore option restores owner, group, permissions, and capabilities of files in a required package. The syntax is as follows:

rpm --restore _PACKAGE_NAME_

(BZ#1550745)

GRUB 2 regexp command is no longer missing

Previously, the module providing the regexp command for the Grand Unified Bootloader version 2 (GRUB2) was missing in the GRUB2 EFI binary. As a consequence, on UEFI systems with Secure Boot enabled, using regexp failed with the error: can’t find command `regexp` message. With this update, the module providing regexp is included in the GRUB2 EFI binary and works correctly in the described situation.

(BZ#1630678)

6.6. Kernel

Netfilter now supports zero-length CIDR values in certain IP set types

Previously, the kernel rejected a zero-length Classless Inter-domain Routing (CIDR) network mask value in the first and the last parameter in hash:net,port,net and hash:net6,port,net6 IP set types. As a consequence, Netfilter could not match a port against all network destinations. With this update, zero-length CIDR values are allowed in the first and the last parameter of the mentioned IP set types. As a result, administrators can create firewall rules that match a port that is valid for all destinations.

(BZ#1680426)

AVC denials for NFS mounted directories mounted on the server side

NFS crossmnt mounts automatically create internal mounts when a process accesses a subdirectory that is used as a mount point on the server. Consequently, SELinux checks whether the process accessing an NFS mounted directory has a mount permission, which may cause Access Vector Cache (AVC) denials. In this update, SELinux permission checking is skipped for internal mounts of this type. As a result, mount permission is not needed when accessing an NFS directory that is mounted on the server side.

(BZ#1077929)

The intel_pstate driver loads on the Intel Skylake-X systems with HWP disabled

Previously, with the Intel Skylake-X systems, it was impossible to load the intel_pstate driver if Hardware P-States (HWP) were disabled. As a consequence, the kernel defaulted to loading the acpi_cpufreq driver. This update fixes the problem and intel_pstate now loads correctly in the described scenario.

In the event that the user wants to use acpi_cpufreq (not recommended), the solution is to append the intel_pstate=disable parameter to the kernel command line.

(BZ#1698453)

Data corruption no longer occurs on RAID 10 reshape on top of VDO

Previously, RAID 10 reshape (with both LVM and "mdadm") on top of VDO corrupted data. With this fix, the data corruption no longer occurs. However, Stacking RAID 10 (or other RAID types) on top of VDO does not take advantage of the deduplication and compression capabilities of VDO and is not recommended.

(BZ#1528466)

write-behind in RAID1 no longer triggers a kernel panic

Previously, the write-behind mode in the Redundant Array of Independent Disks Mode 1 (RAID1) virtualization technology used the upper layer bio structures. The structures were freed immediately after the bio structures written to bottom layer disks came back. As a consequence, a kernel panic was triggered and the write-behind function could not be used. This update fixes the problem and write-behind can now be used without triggering a kernel panic in the described scenario.

(BZ#1632575)

The kernel now supports destination MAC addresses in bitmap:ipmac, hash:ipmac, and hash:mac IP set types

Previously, the kernel implementation of the bitmap:ipmac, hash:ipmac, and hash:mac IP set types only allowed matching on the source MAC address, while destination MAC addresses could be specified, but were not matched against set entries. As a consequence, administrators could create iptables rules that used a destination MAC address in one of these IP set types, but packets matching the given specification were not actually classified. With this update, the kernel compares the destination MAC address and returns a match if the specified classification corresponds to the destination MAC address of a packet. As a result, rules that match packets against the destination MAC address now work correctly.

(BZ#1607252)

The kdump kernel is now able to boot after a CPU hot add or hot remove operation

When running Red Hat Enterprise Linux 7 on the little-endian variant of IBM Power Systems with kdump enabled, the kdump crash kernel failed to boot if triggered by the kexec system call after a CPU hot add or hot remove operation. This update fixes the bug by utilizing the CPU online and offline events. As a result, kdump kernel manages to boot in the described scenario.

(BZ#1549355)

6.7. Networking

dnsmasq no longer uses ports lower than 1024 as a source port

Previously, the Domain Name System forwarder (dnsmasq) used for queries all ports below 1024. However, Berkeley Internet Name Domain (BIND) drops DNS queries incoming from some of the low ports. Consequently, the target port 464 was ignored by BIND. With this update, dnsmasq has been fixed to not use custom random port generator, but it now lets the operating system to assign random ports instead. As a result, dnsmasq no longer uses ports lower than 1024 as a source port, which prevents the described problem with BIND.

(BZ#1614331)

Dnsmasq with enabled cache no longer returns cached responses without DNSSEC records

Previously, dnsmasq service with enabled cache returned cached responses without DNSSEC records, even if query had DNSSEC OK bit set. As a consequence, returned replies could not pass DNSSEC validation by client under the dnsmasq. That causes clients under dnsmasq not able to use DNSSEC validation. To fix this, always forward requests with DNSSEC OK bit set and do not use cached values, unless DNSSEC validation is enabled locally. As a result, clients under dnsmasq can successfully validate all responses.

(BZ#1638703)

The ipset service can now load sets which depends on other sets

Τhe ipset service saves IP sets (lists of IP addresses) in separate files. In Red Hat Enterprise Linux (RHEL) 7.6, when starting the service, each set was loaded sequentially ignoring dependencies between them. As a consequence, the service failed to load IP sets with dependencies on other sets. With this update, the ipset service creates first all the sets included in the saved configuration, and then adds their entries. As a result, IP sets with dependencies on other sets can now be loaded.

(BZ#1646666)

Error logging in the ipset service has been improved

Previously, the ipset service did not report configuration errors with a meaningful severity in the systemd logs. The severity level for invalid configuration entries was only informational, and the service did not report errors for an unusable configuration. As a consequence, it was difficult for administrators to identify and troubleshoot issues in the ipset service’s configuration. With this update, ipset reports configuration issues as warnings in systemd logs and, if the service fails to start, it logs an entry with the error severity including further details. As a result, it is now easier to troubleshoot issues in the configuration of the ipset service.

(BZ#1649877)

The ipset service now ignores invalid configuration entries during startup

The ipset service stores configurations as sets in separate files. Previously, when the service started, it restored the configuration from all sets in a single operation, without filtering invalid entries that can be inserted by manually editing a set. As a consequence, if a single configuration entry was invalid, the service did not restore further unrelated sets. The problem has been fixed. As a result, the ipset service detects and removes invalid configuration entries during the restore operation, and ignores invalid configuration entries.

(BZ#1650297)

firewalld rebased to version 0.6.3

The firewalld packages have been upgraded to upstream version 0.6.3, which provides a number of bug fixes over the previous version:

  • The firewalld service now only modifies ifcfg files for permanent configuration changes.
  • Untranslated strings in the firewall-config utility have been fixed, which caused that rich rules could not be modified in the UI.
  • The set-log-denied parameter now works correctly when used in combination with the icmp-block-inversion parameter.
  • The firewall-cmd utility now correctly checks the return value of the ipset command.
  • IP forwarding is no longer enabled when using port forwarding and the toaddr parameter is not specified.
  • The shell auto-complete feature no longer constantly asks for authentication.

(BZ#1637204)

6.8. Security

An SELinux policy reload no longer causes false ENOMEM

Reloading SELinux policy previously caused the internal security context lookup table to become unresponsive. Consequently, when the kernel encountered a new security context during a policy reload, the operation failed with a false "Out of memory" (ENOMEM) error. With this update, the internal Security Identifier (SID) lookup table has been redesigned and no longer freezes. As a result, the kernel no longer returns misleading ENOMEM errors during an SELinux policy reload.

(BZ#1335986)

NSS now processes X.509 certificates for use with IPsec correctly

Previously, the NSS library did not properly process X.509 certificates for use with IPsec. As a consequence, if X.509 certificates had non-empty Extended Key Usage (EKU) attributes that did not contain serverAuth and clientAuth attributes, the Libreswan IPsec implementation incorrectly rejected validation of the certificates. With this update, the IPsec profiles in NSS have been fixed, and Libreswan can now accept the described certificates.

(BZ#1212132)

NSS no longer accepts RSA PKCS#1 v1.5 signatures made with an RSA-PSS key

RSA-PSS keys can be used for creating RSA-PSS signatures only and signatures made with those keys that use the PKCS#1 v1.5 algorithm violate the standard. Previously, the Network Security Services (NSS) libraries did not check the type of an RSA public key used by a server when validating signatures made using a corresponding private key. Consequently, NSS accepted RSA PKCS#1 v1.5 signatures as valid, even if they were made with an RSA-PSS key.

The bug has been fixed and the NSS libraries now properly check the type of RSA public keys used by a server when validating signatures made using a corresponding private key. As a result, the signatures in this scenario are no longer accepted by NSS.

(BZ#1510156)

Accessing authorized keys no longer fails when switching users

Previously, group information cache in OpenSSH was not cleaned when changing the user for retrieving authorized keys using the AuthorizedKeysCommand* configuration options. Consequently, an attempt to access authorized keys failed for the new user due to incorrect group information. This bug has been fixed, and authorized keys can now be successfully accessed when the user is changed.

(BZ#1583735)

scap-security-guide now correctly skips rules that are not applicable to containers and container images

SCAP Security Guide content can be used to scan containers and container images now. Rules that are not applicable to containers and container images have been marked with a specific CPE identifier. As a result, the evaluation of these rules is skipped automatically, and the result not applicable is reported when scanning containers and container images.

(BZ#1630739)

Ansible playbooks from the SCAP Security Guide no longer fail due to common errors

Ansible tasks included in the SCAP Security Guide content were previously unable to handle certain common cases, such as missing configuration files, non-existent files, or uninstalled packages. As a consequence, when using an Ansible playbook from the SCAP Security Guide or generated by the oscap command, the ansible-playbook command terminated with every error. With this update, the Ansible tasks have been updated to handle common cases, and Ansible playbooks from the SCAP Security Guide can be successfully executed even if common errors are encountered during the playbook execution.

(BZ#1647189)

SCAP Security Guide now correctly checks the dconf configuration

Prior to this update, OVAL (Open Vulnerability and Assessment Language) checks used in the SCAP Security Guide project did not check the dconf binary database directly, but it checked only the respective key files. This could lead to false positives or negatives in scanning results. With this update, SCAP Security Guide adds one more check component, which ensures that the dconf binary database is up-to-date with regards to those key files. As a result, the complex check now checks the dconf configuration correctly.

(BZ#1631378)

SELinux now allow gssd_t processes to access kernel keyrings of other processes

Previously, an allow rule for the gssd_t type was missing in the SELinux policy. As a consequence, SELinux in enforcing mode occasionally prevented processes running as gssd_t from accessing kernel keyrings of other processes and could block for example sec=krb5 mounts. The rule has been added to the policy, and processes running as gssd_t are now able to access keyrings of other processes.

(BZ#1487350)

SELinux no longer blocks snapperd from managing all non-security directories

Prior to this update, an allow rule for the snapper daemon (snapperd) was missing in the SELinux policy. Consequently, snapper was not able to create a configuration file on a btrfs volume for a new snapshot with SELinux in enforcing mode. With this update, the missing rule has been added, and SELinux now allows snapperd to manage all non-security directories.

(BZ#1619306)

sudo I/O logging function now works also for SELinux-confined users

Prior to this update of the SELinux policy, rules that allow user domains to use generic pseudoterminal interfaces were missing. As a consequence, the I/O logging function of the sudo utility did not work for SELinux-confined users. The missing rules have been added to the policy, and the I/O logging function no longer fails in the described scenario.

(BZ#1564470)

sudo configured using LDAP now handles sudoRunAsGroup correctly

Previously, the sudo tool configured using LDAP did not correctly handle the case when the sudoRunAsGroup attribute was defined and the sudoRunAsUser attribute was not. As a consequence, the root user was used as the target user. With this update, the handling of sudoRunAsGroup has been fixed to match the behavior documented in the sudoers.ldap(5) man page, and sudo now works properly in the described scenario.

(BZ#1618702)

6.9. Servers and Services

chronyd no longer fails to synchronize with NTP servers after reboot

Previously, when an interface was controlled by network scripts and NetworkManager was enabled at the same time, the chrony NetworkManager dispatcher script switched NTP sources to the offline state on boot. As a consequence, chronyd was prevented from synchronizing the system clock. With this update, the chrony dispatcher script ignores events that are not related to interfaces coming up or down. As a result, chronyd now synchronizes with NTP servers as expected under the described circumstances.

(BZ#1600882)

CUPS no longer denies access if SSSD running on the same server is configured with ignore_group_members = true

When System Security Services Daemon (SSSD) uses the ignore_group_members = true setting in the /etc/sssd/sssd.conf file, the getgrnam() function returns the group structure without group members of groups retrieved by SSSD. This is expected behavior. Previously, CUPS used only getgrnam() to verify if a user is a member of a group. As a consequence, if SSSD was configured with the mentioned setting on a CUPS server that used groups to allow access to the server for members of a group, CUPS denied access to users in these groups. With this update, CUPS now additionally uses the getgrouplist() function, which returns group members even if SSSD is configured with ignore_group_members = true. As a result, CUPS correctly determines access based on group memberships in the mentioned scenario.

(BZ#1570480)

Running dbus-daemon no longer fails to activate a system service

With the rebase of the D-Bus message bus daemon (dbus-daemon) to version 1.10.24, locations of several dbus tools were migrated. The dbus-send executable was moved from the /bin directory to the /usr/bin directory; the dbus-daemon-launch-helper executable was moved from the libdir directory to the libexecdir directory. Consequently, if a scriptlet in a package called the dbus-send command to send a message to D-Bus, and triggered a service activation, the activation could fail. With this update, the bug has been fixed by creating compatibility symlinks between the old and new locations of dbus-daemon-launch-helper. As a result, any running instance of dbus-daemon can now call the system bus and activate a system service.

(BZ#1568856)

Teaming in the rescue system works correctly again

Updates provided by the advisory RHBA-2019:0498 fixed several problems in ReaR, affecting complex network configurations. However, in case of teaming, this update introduced another problem. If the team had multiple member interfaces, the team device was not configured correctly in the rescue system. As a consequence, after applying an update provided by RHBA-2019:0498, a work around was needed to preserve the previous behavior. This update fixes the bug in ReaR, and teaming in the rescue system now works correctly.

(BZ#1685166)

Virtual machines now work correctly on RHEL 7 nodes in RHOSP 10

Previously, upgrading a Red Hat Enterprise Linux 7 (RHEL 7) node in Red Hat OpenStack Plaform 10 (RHOSP 10) to a later minor version sometimes caused virtual machines (VMs) hosted on that node to become unable to start. This update fixes how the tuned service configures parameters of the kvm-intel module, which prevents the described problem from occurring.

(BZ#1649408)

Handling of ksm and ksmtuned in Tuned has been fixed

Previously, Tuned sometimes failed to apply the cpu-partitioning profile if the ksm and ksmtuned services were enabled. With this update, handling of the ksm and ksmtuned services has been fixed. As a result, Tuned now applies the cpu-partitioning profile reliably.

(BZ#1622239)

Error messages in /var/log/tuned/tuned.log referring to non-existent sysctl settings no longer occur when a Tuned profile is loaded

Previously, the Tuned daemon treated non-existent sysctl settings as an error. For example net.bridge.bridge-nf-call-ip6tables, net.bridge.bridge-nf-call-iptables, or net.bridge.bridge-nf-call-arptables, which are unavailable on some systems, could trigger error in the /var/log/tuned/tuned.log file:

Failed to set sysctl parameter 'net.bridge.bridge-nf-call-ip6tables' to '0', the parameter does not exist

With this update, Tuned has been fixed, and the error messages no longer occur within /var/log/tuned/tuned.log under the described circumstances.

(BZ#1714595)

6.10. Storage

LVM no longer causes data corruption in the first 128kB of allocatable space of a physical volume

Previously, a bug in the I/O layer of LVM might have caused data corruption in rare cases. The bug could manifest only when the following conditions were true at the same time:

  • A physical volume (PV) was created with a non-default alignment. The default is 1MB.
  • An LVM command was modifying metadata at the tail end of the metadata region of the PV.
  • A user or a file system was modifying the same bytes (racing).

No cases of the data corruption have been reported.

With this update, the problem has been fixed, and LVM can no longer cause data corruption under these conditions.

(BZ#1643651)

System boot is no longer delayed by ndctl

Previously, a udev rule installed by the ndctl package sometimes delayed the system boot process for several minutes on systems with Non-Volatile Dual In-line Memory Module (NVDIMM) devices. In such cases, systemd displayed a message similar to the following:

INFO: task systemd-udevd:1554 blocked for more than 120 seconds.
...
nvdimm_bus_check_dimm_count+0x31/0xa0 [libnvdimm]
...

With this update, ndctl no longer installs the udev rule. As a result, ndctl does not delay the system boot.

(BZ#1635441)