Chapter 6. Notable Bug Fixes
This chapter describes bugs fixed in Red Hat Enterprise Linux 7.7 that have a significant impact on users.
6.1. Authentication and Interoperability
Directory Server flushes the entry cache after a back end transaction plug-in failed
Previously, if a back end transaction plug-in failed, Directory Server rolled-back the operation, but did not revert the changes in the entry cache. As a consequence, the entry cache contained incorrect entries. With this update, Directory Server flushes the entry cache after a back end transaction plug-in failed. As a result, clients retrieve the correct data when querying the database in the mentioned situation.
ds-replcheck utility no longer incorrectly reports non-matching tombstone entries on replicas
Previously, if an administrator ran the
ds-replcheck utility on different Directory Server replicas with tombstones present,
ds-replcheck reported that one of the replicas was missing the tombstone entries. It is expected that tombstone entries do not match on each replica. With this update,
ds-replcheck no longer searches for tombstone entries. As a result, the utility does not report missing tombstone entries as a problem.
Directory Server no longer crashes when shutting down the service while a
cleanAllRUV task is running
Previously, stopping the Directory Server service while a
cleanAllRUV task was running freed resources the task was using. As a consequence, the service terminated unexpectedly. With this update, Directory Server increments a reference counter that enables the task to complete before the service shutdown process proceeds. As a result, the server no longer crashes in the mentioned scenario.
Directory Server now correctly rejects the current password if
passwordInHistory is set to
Previously, administrators could not set the
passwordInHistory attribute in Directory Server to
0. As a consequence, Users could reset their password to the same password as they currently use. With this update, users can now set
0 and, as a result, to check the current password.
Directory Server no longer truncates
nsSSL3Ciphers values longer than 1023 characters
Previously, Directory Server used a fixed buffer size to store the preferred TLS ciphers set in the
nsSSL3Ciphers parameter in the
cn=encryption,cn=config entry. As a consequence, if the value was longer than 1024 characters, the server truncated the value and used only ciphers specified in the first 1023 characters. With this fix, Directory Server no longer uses a fixed buffer size to store the value. As a result, the setting works as expected.
Directory Server no longer uses the CoS attribute with a higher priority than the real attribute
Previously, Directory Server used the
operational-default Class of Service (CoS) attribute with a higher priority than the real attribute. As a consequence, the server overwrote the attribute set in a local password with the CoS policy defined in a subtree. This update fixes the problem. As a result, CoS-defined password policies work as expected.
Directory Server now updates the
pwdLastSet field of a user on password changes
Previously, if password synchronization was enabled and a user changed a password in Directory Server, the server did not set the
pwdLastSet attribute. As a consequence, Active Directory (AD) still forced the user to update the password. Directory Server now updates
pwdLastSet in the mentioned scenario. As a result. AD does not force the user to change the password again.
Searches with scope
one no longer return incomplete results in Directory Server
Previously, when a user performed a search with a scope set to
one, the search operation did not return all expected entries. With this update, Directory Server correctly creates the entry candidates list for one level searches. As a result, the server returns the expected entries.
Directory Server no longer ignores IPv6 addresses in an ACI if both IPv6 and IPv4 addresses are used
Administrators can specify both IPv4 and IPv6 addresses in Access Control Instructions (ACI) to allow or deny access. Previously, if an ACI contained both IPv4 and IPv6 addresses, Directory Server ignored the IPv6 address. As a consequence, the ACI did not work as expected. This update fixes the parsing of the
ip keyword in ACIs. As a result, IP-based ACIs work as expected in the mentioned scenario.
modrdn operations to read-only Directory Server now succeeds
The conflict entry management in Directory Server requires to add tracking entries for
modrdn operations. Previously, adding these entries failed on read-only consumers and, as a consequence,
modrdn operations could not be replicated to such instances. This update fixes the problem. As a result, replicating
modrdn operations to read-only consumers succeeds.
The time after which Directory Server deletes tasks has been changed
Previously, Directory Server deleted task entries 2 minutes after a task finished. As a consequence, applications that were monitoring the task could miss the task result. This update changes the time after which the server deletes tasks. By default, all completed tasks are now deleted after 1 hour, except import and export tasks, which are deleted 24 hours after completion.
Directory Server did not return the
shadowWarning attribute if
passwordWarning was set lower than
Previously, Directory Server did not return the
shadowWarning attribute in searches if the
passwordWarning attribute in the
cn=config entry was set to a value lower than
86400 seconds (1 day). This update fixes the problem. As a result, the server returns the value of the
shadowWarning attribute in the mentioned scenario.
krb5 memory caches are now thread-safe
Previously, the memory caches of the Kerberos V5 login program (
krb5) were not completely thread-safe. As a consequence, multi-threaded access terminated unexpectedly in some cases. With this update, the memory caches are cleaned up to be more thread-safe. As a result, no more crashes occur.
krb5 configurations prohibited by FIPS 140-2 can now work again
Previously, Red Hat Enterprise Linux 7.6 build of the Kerberos V5 (
krb5) system increased compliance with FIPS 140-2. As a consequence, certain previously permitted configurations that were prohibited by FIPS 140-2 stopped working. With this update, the changes have been reverted, because
krb5 only requires to work in FIPS mode, not be FIPS-compliant. As a result, configurations prohibited by FIPS 140-2 can now work again.
Note that Red Hat Enterprise Linux 8 does not support these configurations at the moment.
Certificate System starts even if the value in the
numSubordinates attribute exceeds the number of profile entries
numSubordinates operational attribute defines the expected number of profile entries. Previously, Certificate System did not start until all profiles and lightweight Certificate Authorities (CA) were loaded. As a consequence, if the value in the attribute exceeds the number of profile entries the start process did not complete. With this update, a watchdog timer forces the start process to proceed after a short delay in the mentioned scenario and Certificate System logs the unexpected condition. As a result, the Certificate System starts completes even when
numSubordinates in the profiles or lightweight CA subtrees exceeds the number of entries in the search result.
TLS_RSA_* ciphers are now disabled by default in Certificate System
Previously, by default, TLS_RSA_* ciphers were enabled in Certificate System. However, in environments with certain hardware security modules (HSM) in Federal Information Processing Standard (FIPS) mode, these ciphers are not supported. As a consequence, the SSL handshake failed and the connection was not established. This update disables TLS_RSA_* ciphers by default. As a result, connections work with those HSMs in FIPS mode.
The Certificate System REST API no longer stores clear text passwords in log files
Previously, the Certificate System REST API did not filter out plain password values. As a consequence, passwords were visible in clear text in log files. With this update, the server replaces password attribute values with "(sensitive)". As a result, clear text passwords are no longer visible in logs.
Client authentication can now be disabled in Certificate System
A previous version of Certificate System added a feature to enforce TLS client authentication when authenticating through CMCAuth. However, certain older applications do not support TLS client authentication and failed to connect to Certificate System. This update adds the
bypassClientAuth configuration parameter to the
/var/lib/pki/pki-instance_name/ca/conf/CS.cfg file. As a result, administrators can now set this parameter to
true to disable client authentication if not supported by certain applications.
Certificate System CA installations succeed when using a PKCS #12 file
Previously, the default value of the
pki_ca_signing_cert_path parameter was set to a predefined path. Due to a recent change in the way the
pkispawn utility validates the parameter when an administrator used a PKCS #12 file to install a certificate authority (CA), the installation failed with an
Invalid certificate path: pki_ca_signing_cert_path=/etc/pki/pki-tomcat/external_ca.cert error. This update fixes the problem by removing the default value of
pki_ca_signing_cert_path. As a result, the CA installation succeeds in the mentioned scenario.
pki utility correctly asks for a password
Previously, if the user did not provide a password using command-line options, the
pki utility did not prompt for a password. As a consequence,
pki incorrectly reported
Error: Missing user password and the operation failed. The
pki utility has been fixed to prompt for a password under the described circumstances.
Certificate System automatically shuts down if signed audit logs cannot be stored due to a full file system
Previously, if audit signing was enabled and the file system on which Certificate System stored the signed audit logs was full, Certificate System continued operating but did not log further operations. To prevent missing signed audit logs, Certificate System now shuts down automatically in the mentioned scenario.
SSSD uses the AD LDAP server to retrieve POSIX attributes for initgroup lookups
The SSSD service uses the Active Directory (AD) global catalog (GC) for initgroup lookups, but the POSIX attributes, such as the user home directory or shell, are not replicated to the GC set by default. Consequently, when SSSD requests the POSIX attributes during SSSD lookups, SSSD incorrectly considers the attributes to be removed from the server, because they are not present in the GC, and removes them from the SSSD cache as well. With this update, initgroup lookups now switch between LDAP and GC connection as appropriate, because the AD LDAP server contains the POSIX attributes even without schema modification. As a result, POSIX attributes, such as shell or home directory, are no longer overwritten or missing.
Changing the shell with
ypchsh no longer results in an overwritten password when NIS uses
Previously, when the NIS server was set up to support the
passwd.adjunct map and the user changed the shell on a NIS client by using the
ypchsh command, the
yppasswdd daemon overwrote the user’s password hash inside
passwd.adjunct with the
##username string. Consequently, the affected user was unable to log in due to a corrupted password hash. This bug has been fixed, and
yppasswdd no longer overwrites the user’s password hash while updating the user’s shell information. As a result, the user can successfully log in the new shell after running
6.2. Compiler and Tools
The SystemTap Dyninst backend works without the
stap --dyninst command uses the SystemTap Dyninst backend. Previously, this backend did not work when the
dyninst-devel package was not installed. As a consequence, SystemTap terminated unexpectedly, and users had to manually install
dyninst-devel and run the
ldconfig tool as a workaround. This bug has been fixed and the SystemTap Dyninst backend now works without the
GDB breakpoint default source file works for symbolic links
Previously, the GDB debugger could not locate the symbol table information for the default source file, if the file was a symbolic link. As a consequence, users could not set breakpoints by omitting the source file name and using the default, such as
break 63. This bug has been fixed and users can now use default source files with breakpoints for files behind symbolic links.
The DNS stub resolver in
glibc no longer rejects valid host names, such as hostname-.example.com
The DNS stub resolver in
glibc rejected certain valid host names, such as hostname-.example.com, and accepted some invalid names. As a consequence, some host names on the Internet could not be resolved. To fix the problem, the DNS name validation functions, such as
res hnok, have been adjusted to match user expectations and specifications more closely. As a result, host names of the form hostname-.example.com can now be resolved successfully if they exist in DNS.
iconv no longer hangs when converting from certain IBM character sets
glibc converters for the IBM930, IBM933, IBM935, IBM937, and IBM393 character sets returned an error and failed to advance to the next input character when they encountered invalid redundant shift sequences. As a consequence, converting from these character sets using the
iconv tool with the
-c option to discard these characters made the tool unresponsive, because it could not progress beyond the first occurence of a redundant shift sequence. The converters have been modified to accept these sequences and continue correctly. As a result, the conversions mentioned above are now possible.
iconv can convert between the IBM273 and ISO-8859-1 character sets
glibc implementation of the IBM273 character set was not equivalent to the ISO-8859-1 character set. It did not have a representation for the Unicode character
MACRON, instead it used the corresponding byte to represent the
OVERLINE Unicode character, which has the same visual representation as a
MACRON. As a consequence, using the
iconv tool provided by
glibc to convert IBM273 text containing an
OVERLINE character to ISO-8859-1 or ISO-8859-1 text containing a
MACRON character to IBM273 resulted in an error during conversion. To fix this bug, the IBM273 character set was made equivalent to the ISO-8859-1 character set by replacing its
OVERLINE representation with
MACRON. As a result, both character sets now use the
MACRON Unicode character, are equivalent, and conversion from one to the other does not lead to an error.
getifaddrs calls can no longer unexpectedly terminate applications
Previously, the network interface list produced by the
getifaddrs function in the
glibc library could lack interface names if the interfaces changed in the kernel at the same time. As a consequence, applications using
getifaddrs could terminate unexpectedly in such situation. This has been fixed and
getifaddrs now ensures the list is identical to kernel state. As a result, the unexpected termination mentioned above cannot happen.
Makefiles containing explicit targets before implicit work again
Previously, mixing implicit (pattern) and explicit targets in Makefiles was deprecated. After update to version 3.82, the
make build tool returned errors for mixed targets. As a consequence, legacy Makefiles containing mixed targets could not be used. With this update,
make can correctly parse situations where an explicit target is listed before an implicit target. As a result, certain legacy Makefiles can now be used again without modification. However, implicit targets before explicit targets still result in an error.
Note that mixing explicit and implicit targets in Makefiles is deprecated and should not be added to new Makefiles.
PCP now reports all process details on large systems
Previously, the Performance Co-Pilot (PCP) toolkit failed to report certain process details in some cases on very large systems. The code reading the process details files was changed so that it can read data of arbitrary length, instead of only the first 1024 bytes. As a result, the described PCP error can no longer happen.
strip no longer crashes with certain executable files
strip tool contained untrue assumptions about executable file structure. As a consequence, attempting to strip certain executable files could unexpectedly terminate
strip. The assumptions about structure have been changed such that this problem can no longer happen and
strip works correctly.
Optimized CPU consumption by
A previous update to the
libdb database caused an excessive CPU consumption in the trickle thread. With this update, the CPU usage has been optimized.
passwd --stdin no longer limits the password length to 79 characters
When changing a password using the
passwd command with the
--stdin option, the length of the password was limited to 79 characters. Consequently, when you entered a password longer than 79 characters via standard input, only the first 79 characters were accepted, and no warning was shown. With this update,
passwd has been fixed to align the accepted size of the password with size defined by Pluggable Authentication Module (PAM). As a result, the
passwd --stdin command now accepts passwords longer than 79 characters, but not longer than
PAM_MAX_RESP_SIZE - 1 characters. If that limit is exceeded,
passwd reports an error to the standard error output, and exits with exit code 1.
fixfiles no longer incorrectly fails
fixfiles script failed if the
/etc/selinux/fixfiles_exclude_dirs file contained at least one entry and the
/etc/selinux/targeted/contexts/files/file_contexts.local file was not present. With this update, the requirement for existence of
/etc/selinux/targeted/contexts/files/file_contexts.local has been removed, and fixfiles now works correctly in the described scenario.
System no longer boots to a blank screen when Xinerama is enabled
When the Xinerama extension was enabled in
/etc/X11/xorg.conf on a system using the nvidia or nouveau driver, the RANDR X extension got disabled. Consequently, login screen failed to start upon boot due to the RANDR X extension being disabled. This bug has been fixed and the login screen now starts properly even with Xinerama enabled.
Soft lock-ups fixed during boot in the kernel with
On a rare occasion when a GM45 system had an improper firmware configuration, an incorrect
DisplayPort hot-plug signal could cause the
i915 driver to be overloaded on boot. Consequently, certain GM45 systems experienced very slow boot times while the video driver attempted to work around the problem. In some cases, the kernel also reported soft lock-ups. This bug has been fixed and the lock-ups no longer occur in the described scenario.
X.org server no longer crashes during fast user switching
Previously, the X.Org X11
qxl video driver did not emulate the leaving virtual terminal event on shutdown. Consequently, the X.Org display server terminated unexpectedly during fast user switching, and the current user session was terminated when switching a user. With this update,
qxl has been fixed, and the X.org server no longer crashes during fast user switching.
6.4. File Systems
Non-root users can now access SMB shares mounted using the
In Red Hat Enterprise Linux (RHEL) 7.5, a fix was added to handle NT LAN Manager (NTLM) authentication when no domain was specified. This change affected how the
cifs.ko kernel module selected the domain name when using NTLM. As a consequence, when a server message block (SMB) share was mounted with the
multiuser option, an incorrect domain name was selected and non-root users failed to access the mounted SMB share. This update reverts the fix. As a result, shares mounted with
multiuser can now be accessed by non-root users in RHEL 7.7.
Setting disk quota limits over a network works again for users occupying more than 4 GB of space on the network file system
setquota utility was unable to handle an occupied space greater than 4 GB when communicating with an NFS server due to an incorrect format of the used disk size. Consequently, when setting disk quota limits for a user exceeding 4 GB of used space on a NFS-mounted file system,
setquota failed to perform the operation. This update corrects the conversion of the used disk size to an RPC protocol format, and the described problem no longer occurs.
6.5. Installation and Booting
NVDIMM commands are added to the Kickstart script file
anaconda-ks.cfg after installation
The installer creates a Kickstart script equivalent to the configuration used for system installation. This script is stored in the
/root/anaconda-ks.cfg file. Previously, when the graphical user interface was used to install RHEL, the
nvdimm commands used for configuring Non-Volatile Dual In-line Memory (NVDIMM) devices were not added to this file. This bug has been fixed and the Kickstart file now contains the
nvdimm commands as expected.
The graphical installation program no longer permits an invalid passphrase
Previously, when installing RHEL 7 using the graphical installation program, it was possible to leave the passphrase field in the Partitioning Disk Encryption Passphrase dialog box empty, click the Save Passphrase button, and finish your partitioning tasks. As a consequence, partitioning was misconfigured and you had to cancel the disk encryption process or enter a valid passphrase. With this update, the Save Passphrase button is available only when you enter a valid and non-empty passphrase.
inst.version kernel boot parameters no longer stops the installation program
Previously, booting the installation program from the kernel command line using the
inst.version boot parameters printed the version, for example
anaconda 30.25.6, and stopped the installation program.
With this update, the
inst.version parameters are ignored when the installation program is booted from the kernel command line, and as a result, the installation program is not stopped.
The RHEL 7.7 graphical installation now displays supported NVDIMM device sector sizes
Previously, when configuring NVDIMM devices using the graphical user interface (GUI), it was possible to enter an unsupported sector size. No warning message was displayed, and as a consequence, a reconfiguration error occurred. With this update, the sector size dialog box contains a drop-down list that displays only the supported sector sizes of
Cancelling a job initiated from
cockpit-composer no longer fails
Image build process did not support cancelling an image build. As a consequence, cancelling a job initiated from
cockpit-composer GUI using
composer-cli compose cancel resulted in a hung compose API server, causing newly queued job builds to not start, and remain in waiting state. To fix the problem, a feature to cancel the Image build process was implemented. As a result, cancelling a job initiated from
cockpit-composer no longer fails.
rpm command now supports the
This update introduces the
--restore options for the
--setcaps option sets capabilities of files in a required package. The syntax is as follows:
rpm --setcaps _PACKAGE_NAME_
--restore option restores owner, group, permissions, and capabilities of files in a required package. The syntax is as follows:
rpm --restore _PACKAGE_NAME_
regexp command is no longer missing
Previously, the module providing the
regexp command for the Grand Unified Bootloader version 2 (GRUB2) was missing in the GRUB2 EFI binary. As a consequence, on UEFI systems with Secure Boot enabled, using
regexp failed with the
error: can’t find command `regexp` message. With this update, the module providing
regexp is included in the GRUB2 EFI binary and works correctly in the described situation.
Netfilter now supports zero-length CIDR values in certain IP set types
Previously, the kernel rejected a zero-length Classless Inter-domain Routing (CIDR) network mask value in the first and the last parameter in
hash:net6,port,net6 IP set types. As a consequence, Netfilter could not match a port against all network destinations. With this update, zero-length CIDR values are allowed in the first and the last parameter of the mentioned IP set types. As a result, administrators can create firewall rules that match a port that is valid for all destinations.
AVC denials for NFS mounted directories mounted on the server side
crossmnt mounts automatically create internal mounts when a process accesses a subdirectory that is used as a mount point on the server. Consequently, SELinux checks whether the process accessing an NFS mounted directory has a mount permission, which may cause Access Vector Cache (AVC) denials. In this update, SELinux permission checking is skipped for internal mounts of this type. As a result, mount permission is not needed when accessing an NFS directory that is mounted on the server side.
intel_pstate driver loads on the Intel Skylake-X systems with HWP disabled
Previously, with the Intel Skylake-X systems, it was impossible to load the
intel_pstate driver if Hardware P-States (HWP) were disabled. As a consequence, the kernel defaulted to loading the
acpi_cpufreq driver. This update fixes the problem and
intel_pstate now loads correctly in the described scenario.
In the event that the user wants to use
acpi_cpufreq (not recommended), the solution is to append the
intel_pstate=disable parameter to the kernel command line.
Data corruption no longer occurs on RAID 10 reshape on top of VDO
Previously, RAID 10 reshape (with both LVM and "mdadm") on top of VDO corrupted data. With this fix, the data corruption no longer occurs. However, Stacking RAID 10 (or other RAID types) on top of VDO does not take advantage of the deduplication and compression capabilities of VDO and is not recommended.
write-behind in RAID1 no longer triggers a kernel panic
Previously, the write-behind mode in the Redundant Array of Independent Disks Mode 1 (RAID1) virtualization technology used the upper layer bio structures. The structures were freed immediately after the bio structures written to bottom layer disks came back. As a consequence, a kernel panic was triggered and the
write-behind function could not be used. This update fixes the problem and
write-behind can now be used without triggering a kernel panic in the described scenario.
The kernel now supports destination MAC addresses in
hash:mac IP set types
Previously, the kernel implementation of the
hash:mac IP set types only allowed matching on the source MAC address, while destination MAC addresses could be specified, but were not matched against set entries. As a consequence, administrators could create
iptables rules that used a destination MAC address in one of these IP set types, but packets matching the given specification were not actually classified. With this update, the kernel compares the destination MAC address and returns a match if the specified classification corresponds to the destination MAC address of a packet. As a result, rules that match packets against the destination MAC address now work correctly.
kdump kernel is now able to boot after a CPU hot add or hot remove operation
When running Red Hat Enterprise Linux 7 on the little-endian variant of IBM Power Systems with
kdump enabled, the
kdump crash kernel failed to boot if triggered by the
kexec system call after a CPU hot add or hot remove operation. This update fixes the bug by utilizing the CPU online and offline events. As a result,
kdump kernel manages to boot in the described scenario.
dnsmasq no longer uses ports lower than 1024 as a source port
Previously, the Domain Name System forwarder (
dnsmasq) used for queries all ports below 1024. However, Berkeley Internet Name Domain (BIND) drops DNS queries incoming from some of the low ports. Consequently, the target port 464 was ignored by BIND. With this update,
dnsmasq has been fixed to not use custom random port generator, but it now lets the operating system to assign random ports instead. As a result,
dnsmasq no longer uses ports lower than 1024 as a source port, which prevents the described problem with BIND.
Dnsmasq with enabled cache no longer returns cached responses without DNSSEC records
dnsmasq service with enabled cache returned cached responses without
DNSSEC records, even if query had
DNSSEC OK bit set. As a consequence, returned replies could not pass
DNSSEC validation by client under the
dnsmasq. That causes clients under
dnsmasq not able to use DNSSEC validation. To fix this, always forward requests with
DNSSEC OK bit set and do not use cached values, unless
DNSSEC validation is enabled locally. As a result, clients under
dnsmasq can successfully validate all responses.
ipset service can now load sets which depends on other sets
ipset service saves IP sets (lists of IP addresses) in separate files. In Red Hat Enterprise Linux (RHEL) 7.6, when starting the service, each set was loaded sequentially ignoring dependencies between them. As a consequence, the service failed to load IP sets with dependencies on other sets. With this update, the
ipset service creates first all the sets included in the saved configuration, and then adds their entries. As a result, IP sets with dependencies on other sets can now be loaded.
Error logging in the
ipset service has been improved
ipset service did not report configuration errors with a meaningful severity in the
systemd logs. The severity level for invalid configuration entries was only
informational, and the service did not report errors for an unusable configuration. As a consequence, it was difficult for administrators to identify and troubleshoot issues in the
ipset service’s configuration. With this update,
ipset reports configuration issues as
systemd logs and, if the service fails to start, it logs an entry with the
error severity including further details. As a result, it is now easier to troubleshoot issues in the configuration of the
ipset service now ignores invalid configuration entries during startup
ipset service stores configurations as sets in separate files. Previously, when the service started, it restored the configuration from all sets in a single operation, without filtering invalid entries that can be inserted by manually editing a set. As a consequence, if a single configuration entry was invalid, the service did not restore further unrelated sets. The problem has been fixed. As a result, the
ipset service detects and removes invalid configuration entries during the restore operation, and ignores invalid configuration entries.
firewalld rebased to version 0.6.3
firewalld packages have been upgraded to upstream version 0.6.3, which provides a number of bug fixes over the previous version:
firewalldservice now only modifies
ifcfgfiles for permanent configuration changes.
Untranslated strings in the
firewall-configutility have been fixed, which caused that rich rules could not be modified in the UI.
set-log-deniedparameter now works correctly when used in combination with the
firewall-cmdutility now correctly checks the return value of the
IP forwarding is no longer enabled when using port forwarding and the
toaddrparameter is not specified.
- The shell auto-complete feature no longer constantly asks for authentication.
An SELinux policy reload no longer causes false ENOMEM
Reloading SELinux policy previously caused the internal security context lookup table to become unresponsive. Consequently, when the kernel encountered a new security context during a policy reload, the operation failed with a false "Out of memory" (ENOMEM) error. With this update, the internal Security Identifier (SID) lookup table has been redesigned and no longer freezes. As a result, the kernel no longer returns misleading ENOMEM errors during an SELinux policy reload.
NSS now processes X.509 certificates for use with IPsec correctly
Previously, the NSS library did not properly process X.509 certificates for use with IPsec. As a consequence, if X.509 certificates had non-empty Extended Key Usage (EKU) attributes that did not contain
clientAuth attributes, the
Libreswan IPsec implementation incorrectly rejected validation of the certificates. With this update, the IPsec profiles in NSS have been fixed, and Libreswan can now accept the described certificates.
NSS no longer accepts RSA PKCS#1 v1.5 signatures made with an RSA-PSS key
RSA-PSS keys can be used for creating RSA-PSS signatures only and signatures made with those keys that use the PKCS#1 v1.5 algorithm violate the standard. Previously, the Network Security Services (NSS) libraries did not check the type of an RSA public key used by a server when validating signatures made using a corresponding private key. Consequently, NSS accepted RSA PKCS#1 v1.5 signatures as valid, even if they were made with an RSA-PSS key.
The bug has been fixed and the NSS libraries now properly check the type of RSA public keys used by a server when validating signatures made using a corresponding private key. As a result, the signatures in this scenario are no longer accepted by NSS.
Accessing authorized keys no longer fails when switching users
Previously, group information cache in OpenSSH was not cleaned when changing the user for retrieving authorized keys using the
AuthorizedKeysCommand* configuration options. Consequently, an attempt to access authorized keys failed for the new user due to incorrect group information. This bug has been fixed, and authorized keys can now be successfully accessed when the user is changed.
scap-security-guide now correctly skips rules that are not applicable to containers and container images
SCAP Security Guide content can be used to scan containers and container images now. Rules that are not applicable to containers and container images have been marked with a specific CPE identifier. As a result, the evaluation of these rules is skipped automatically, and the result
not applicable is reported when scanning containers and container images.
Ansible playbooks from the SCAP Security Guide no longer fail due to common errors
Ansible tasks included in the SCAP Security Guide content were previously unable to handle certain common cases, such as missing configuration files, non-existent files, or uninstalled packages. As a consequence, when using an Ansible playbook from the SCAP Security Guide or generated by the
oscap command, the
ansible-playbook command terminated with every error. With this update, the Ansible tasks have been updated to handle common cases, and Ansible playbooks from the SCAP Security Guide can be successfully executed even if common errors are encountered during the playbook execution.
SCAP Security Guide now correctly checks the
Prior to this update, OVAL (Open Vulnerability and Assessment Language) checks used in the
SCAP Security Guide project did not check the
dconf binary database directly, but it checked only the respective key files. This could lead to false positives or negatives in scanning results. With this update,
SCAP Security Guide adds one more check component, which ensures that the
dconf binary database is up-to-date with regards to those key files. As a result, the complex check now checks the
dconf configuration correctly.
SELinux now allow
gssd_t processes to access kernel keyrings of other processes
Previously, an allow rule for the
gssd_t type was missing in the SELinux policy. As a consequence, SELinux in enforcing mode occasionally prevented processes running as
gssd_t from accessing kernel keyrings of other processes and could block for example
sec=krb5 mounts. The rule has been added to the policy, and processes running as
gssd_t are now able to access keyrings of other processes.
SELinux no longer blocks
snapperd from managing all non-security directories
Prior to this update, an allow rule for the snapper daemon (
snapperd) was missing in the SELinux policy. Consequently, snapper was not able to create a configuration file on a btrfs volume for a new snapshot with SELinux in enforcing mode. With this update, the missing rule has been added, and SELinux now allows
snapperd to manage all non-security directories.
sudo I/O logging function now works also for SELinux-confined users
Prior to this update of the SELinux policy, rules that allow user domains to use generic pseudoterminal interfaces were missing. As a consequence, the I/O logging function of the
sudo utility did not work for SELinux-confined users. The missing rules have been added to the policy, and the I/O logging function no longer fails in the described scenario.
sudo configured using LDAP now handles
sudo tool configured using LDAP did not correctly handle the case when the
sudoRunAsGroup attribute was defined and the
sudoRunAsUser attribute was not. As a consequence, the
root user was used as the target user. With this update, the handling of
sudoRunAsGroup has been fixed to match the behavior documented in the
sudoers.ldap(5) man page, and
sudo now works properly in the described scenario.
6.9. Servers and Services
chronyd no longer fails to synchronize with NTP servers after reboot
Previously, when an interface was controlled by network scripts and NetworkManager was enabled at the same time, the
chrony NetworkManager dispatcher script switched NTP sources to the offline state on boot. As a consequence,
chronyd was prevented from synchronizing the system clock. With this update, the
chrony dispatcher script ignores events that are not related to interfaces coming up or down. As a result,
chronyd now synchronizes with NTP servers as expected under the described circumstances.
CUPS no longer denies access if SSSD running on the same server is configured with
ignore_group_members = true
When System Security Services Daemon (SSSD) uses the
ignore_group_members = true setting in the
/etc/sssd/sssd.conf file, the
getgrnam() function returns the group structure without group members of groups retrieved by SSSD. This is expected behavior. Previously, CUPS used only
getgrnam() to verify if a user is a member of a group. As a consequence, if SSSD was configured with the mentioned setting on a CUPS server that used groups to allow access to the server for members of a group, CUPS denied access to users in these groups. With this update, CUPS now additionally uses the
getgrouplist() function, which returns group members even if SSSD is configured with
ignore_group_members = true. As a result, CUPS correctly determines access based on group memberships in the mentioned scenario.
Running dbus-daemon no longer fails to activate a system service
With the rebase of the D-Bus message bus daemon (dbus-daemon) to version 1.10.24, locations of several dbus tools were migrated. The
dbus-send executable was moved from the
/bin directory to the
/usr/bin directory; the
dbus-daemon-launch-helper executable was moved from the
libdir directory to the
libexecdir directory. Consequently, if a scriptlet in a package called the
dbus-send command to send a message to D-Bus, and triggered a service activation, the activation could fail. With this update, the bug has been fixed by creating compatibility symlinks between the old and new locations of
dbus-daemon-launch-helper. As a result, any running instance of dbus-daemon can now call the system bus and activate a system service.
Teaming in the rescue system works correctly again
Updates provided by the advisory RHBA-2019:0498 fixed several problems in ReaR, affecting complex network configurations. However, in case of teaming, this update introduced another problem. If the team had multiple member interfaces, the team device was not configured correctly in the rescue system. As a consequence, after applying an update provided by RHBA-2019:0498, a work around was needed to preserve the previous behavior. This update fixes the bug in ReaR, and teaming in the rescue system now works correctly.
Virtual machines now work correctly on RHEL 7 nodes in RHOSP 10
Previously, upgrading a Red Hat Enterprise Linux 7 (RHEL 7) node in Red Hat OpenStack Plaform 10 (RHOSP 10) to a later minor version sometimes caused virtual machines (VMs) hosted on that node to become unable to start. This update fixes how the
tuned service configures parameters of the kvm-intel module, which prevents the described problem from occurring.
ksmtuned in Tuned has been fixed
Previously, Tuned sometimes failed to apply the
cpu-partitioning profile if the
ksmtuned services were enabled. With this update, handling of the
ksmtuned services has been fixed. As a result, Tuned now applies the
cpu-partitioning profile reliably.
Error messages in
/var/log/tuned/tuned.log referring to non-existent sysctl settings no longer occur when a
Tuned profile is loaded
Tuned daemon treated non-existent sysctl settings as an error. For example
net.bridge.bridge-nf-call-arptables, which are unavailable on some systems, could trigger error in the
Failed to set sysctl parameter 'net.bridge.bridge-nf-call-ip6tables' to '0', the parameter does not exist
With this update,
Tuned has been fixed, and the error messages no longer occur within
/var/log/tuned/tuned.log under the described circumstances.
LVM no longer causes data corruption in the first 128kB of allocatable space of a physical volume
Previously, a bug in the I/O layer of LVM might have caused data corruption in rare cases. The bug could manifest only when the following conditions were true at the same time:
- A physical volume (PV) was created with a non-default alignment. The default is 1MB.
- An LVM command was modifying metadata at the tail end of the metadata region of the PV.
- A user or a file system was modifying the same bytes (racing).
No cases of the data corruption have been reported.
With this update, the problem has been fixed, and LVM can no longer cause data corruption under these conditions.
System boot is no longer delayed by
udev rule installed by the
ndctl package sometimes delayed the system boot process for several minutes on systems with Non-Volatile Dual In-line Memory Module (NVDIMM) devices. In such cases,
systemd displayed a message similar to the following:
INFO: task systemd-udevd:1554 blocked for more than 120 seconds. ... nvdimm_bus_check_dimm_count+0x31/0xa0 [libnvdimm] ...
With this update,
ndctl no longer installs the
udev rule. As a result,
ndctl does not delay the system boot.