Chapter 6. Notable Bug Fixes

A deadlock no longer occurs when using SASL binds to Directory Server

Previously, a SASL bind to Directory Server could attempt using callbacks that were modified during the connection process. Consequently, a deadlock occurred, and Directory Server could terminated unexpectedly. With this update, the server uses a connection lock that prevents modifying IO layers and callbacks while they are in use. As a result, the deadlock no longer occurs when using SASL binds.

The 389-ds-base package now sets the required permissions on directories owned by the Directory Server user

If directories in the file system owned by the Directory Server user do not have the correct permissions, Directory Server utilities adjust them accordingly. However, if these permissions were different to the ones that were set during the RPM installation, verifying the RPM using the rpm -V 389-ds-base command failed. This update fixes the permissions in the RPM. As a consequence, verifying the 389-ds-base package no longer complains about incorrect permissions.

A memory leak has been fixed in Directory Server when using ip binding rules in an ACI with IPv6

The Access Control Instruction (ACI) context in Directory Server is attached to a connection and contains a structure for both the IPv4 and IPv6 protocol. Previously, when a client closed a connection, Directory Server removed the only IPv4 structure and the context. As a consequence, if an administrator configured an ACI with ip binding rule, Directory Server leaked memory of the IPv6 structure. With this update, the server frees both the IPv4 and IPv6 structures at the end of a connection. As a result, Directory Server no longer leaks memory in the mentioned scenario.

Directory Server no longer leaks memory when using ACIs with an ip bind rule

When a Directory Server Access Control Instruction (ACI) contains an ip bind rule, the server stores the value of the ip keyword as a reference while evaluating the ACI. Previously, when the evaluations were completed Directory Server did not free the ip value. As a consequence, the server leaked around 100 bytes of memory each time the server evaluated an ACI with an ip bind rule. With this update, Directory Server keeps track of the ip value in the per-connection structure and frees the structure when the connection is closed. As a consequence, Directory Server no longer leaks memory in the mentioned scenario.

Directory Server no longer rejects wildcards in the rootdn-allow-ip and rootdn-deny-ip parameters

Previously, when an administrator tried to set a wildcard in the rootdn-allow-ip or rootdn-deny-ip parameters in the cn=RootDN Access Control Plugin,cn=plugins,cn=config entry, Directory Server rejected the value. With this update, you can use wildcards when specifying allowed or denied IP addresses in the mentioned parameters.

Directory Server rejects update operations if retrieving the system time fails or the time difference is too large

Previously, when calling the system time() function failed or the function returned an unexpected value, Change Sequence Numbers (CSN) in Directory Server could become corrupted. As a consequence, the administrator had to re-initialize all replicas in the environment. With this update, Directory Server rejects the update operation if the time() function failed, and Directory Server no longer generates corrupt CSNs in the mentioned scenario.

Directory Server no longer hangs while updating the schema

Previously, during a mixed load of search and modify operations, the update of the Directory Server schema blocked all search and modify operations, and the server appeared to hang. This update adjusts the mutex locking during schema updates. As a result, the server does not hang while updating the schema.

Directory Server no longer leaks memory when using indirect COS definitions

Previously, after processing an indirect Class Of Service (COS) definition, Directory Server leaked memory for each search operation that used an indirect COS definition. With this update, Directory Server frees all internal COS structures associated with the database entry after it has been processed. As a result, the server no longer leaks memory when using indirect COS definitions.

Password expiration notifications sent to AD clients using SSSD

Previously, Active Directory clients (non-IdM) using SSSD were not sent password expiration notices because of a recent change in the SSSD interface for acquiring Kerberos credentials.

KDCs now correctly enforce password lifetime policy from LDAP backends

Previously, non-IPA Kerberos Distribution Centers (KDCs) did not ensure maximum password lifetimes because the Kerberos LDAP backend incorrectly enforced password policies. With this update, the Kerberos LDAP backend has been fixed, and password lifetimes behave as expected.

The pkidaemon tool now reports the correct status of PKI instances when nuxwdog is enabled

Previously, the pkidaemon status command would not report the correct status for PKI server instances that have the nuxwdog watchdog enabled. With this update, pkidaemon detects whether nuxwdog is enabled and reports the correct status of the PKI server.

The strptime() method of the Time::Piece Perl module now correctly parses Julian dates

The Time::Piece Perl module did not correctly parse a day of the year (%j) using the strptime() method. Consequently, Julian dates were parsed incorrectly. This bug has been fixed, and the strptime() method provided by the Time::Piece module now handles Julian dates properly.

Documentation files from perl-devel no longer have a write permission for a group

Previously, certain documentation files from the perl-devel package had a write permission set for a group. Consequently, users in the root group could write into these files, which represented a security risk. With this update, the write bit for a group has been removed for the affected files. As a result, no documentation file from perl-devel has a write permission set for a group.

Resuming from hibernation now works on the megaraid_sas driver

Previously, when the megaraid_sas driver resumed from hibernation, the Message Signaled Interrupts (MSIx) allocation did not work correctly. As a consequence, resuming from hibernation failed, and restarting the system was required. This bug has been fixed, and resuming from hibernation now works as expected.

Disabling logging in the nf-logger framework has been fixed

Previously, when an admin used the sysctl or echo commands to turn off an assigned netfilter logger, a NUL-character was not added to the end of the NONE string. Consequently, the strcmp() function failed with a No such file or directory error. This update fixes the problem. As a result, commands, such as sysctl net.netfilter.nf_log.2=NONE work as expected and turn off logging.

XFS now mounts correctly even if the storage device reported invalid geometry at file system creation

In RHEL 7.8, an XFS file system failed to mount with the error SB stripe unit sanity check failed if it was created on a block device that reported invalid stripe geometry to the mkfs.xfs tool.

The same zone file can now be included in multiple views or zones in BIND

BIND 9.11 introduced an additional check to ensure that no daemon writable zone file is used multiple times, which would result in creating errors in zone journal serialization. Consequently, configuration accepted by BIND 9.9 was no longer accepted by this daemon. With this update, the fatal error message in configuration file check is replaced by a warning, and as a result, the same zone file can now be included in multiple views or zones.

A configuration parameter has been added to firewalld to disable zone drifting

Previously, the firewalld service contained an undocumented behavior known as "zone drifting". RHEL 7.8 removed this behavior because it could have a negative security impact. As a consequence, on hosts that used this behavior to configure a catch-all or fallback zone, firewalld denied connections that were previously allowed. This update re-adds the zone drifting behavior, but as a configurable feature. As a result, users can now decide to use zone drifting or disable the behavior for a more secure firewall setup.

RHEL rotates firewalld log files

Previously, RHEL did not rotate firewalld log files. As a consequence, the /var/log/firewalld log file grew indefinitely. This update adds the /etc/logrotate.d/firewalld log rotation configuration file for the firewalld service. As a result, the /var/log/firewalld log is rotated, and users can customize the rotation settings in the /etc/logrotate.d/firewalld file.

Recursive dependencies no longer cause OpenSCAP crashes

Because systemd units can have dependent units, OpenSCAP scans could encounter cyclical dependencies that caused the scan to terminate unexpectedly. With this update, OpenSCAP no longer analyses previously analysed units. As a result, scans now complete with a valid result even if dependencies are cyclical.

OpenSCAP scanner results no longer contain a lot of SELinux context error messages

Previously, the OpenSCAP scanner logged the inability to get the SELinux context on the ERROR level even in situations where it is not a true error. Consequently, scanner results contained a lot of SELinux context error messages and both the oscap command-line utility and the SCAP Workbench graphical utility outputs were hard to read for that reason. The openscap packages have been fixed, and scanner results no longer contain a lot of SELinux context error messages.

audit_rules_privileged_commands now works correctly for privileged commands

Remediation of the audit_rules_privileged_commands rule in the scap-security-guide packages did not account for a special case in parsing command names. Additionally, the ordering of certain rules prevented successful remediation. As a consequence, remediation of certain combinations of rules reported they were fixed although successive scans reported the rule as failing again. This update improves regular expressions in the rule and the ordering of the rules. As a result, all privileged commands are correctly audited after remediation.

Updated rule descriptions in the SCAP Security Guide

Because default kernel parameters cannot be reliably determined for all supported versions of RHEL, checking kernel parameter settings always requires explicit configuration. The text in the configuration guide mistakenly stated that explicit settings were not needed if the default version was compliant. With this update, the rule description in the scap-security-guide package correctly describes the compliance evaluation and the corresponding remediation.

configure_firewalld_rate_limiting now correctly rate-limits connections

The configure_firewalld_rate_limiting rule, which protects the system from Denial of Service (DoS) attacks, previously configured the system to accept all traffic. With this update, the system correctly rate-limits connections after remediating this rule.

dconf_gnome_login_banner_text no longer incorrectly fails

Remediation of the dconf_gnome_login_banner_text rule in the scap-security-guide packages previously failed after a failure to scan the configuration. As a consequence, the remediation could not properly update the login banner configuration, which was inconsistent with expected results. With this update, Bash and Ansible remediations are more reliable and align with the configuration check implemented using the OVAL standard. As a consequence, remediations now work properly and the rule passes after remediation.

scap-security-guide Ansible remediations no longer include the follow argument

Prior to this update, scap-security-guide Ansible remediations could contain the follow argument in the replace module. Because follow was deprecated in Ansible 2.5, and will be removed in Ansible 2.10, using such remediations caused an error. With the release of the RHBA-2021:1383 advisory, the argument has been removed. As a result, Ansible playbooks by scap-security-guide will work properly in Ansible 2.10.

Postfix-specific rules no longer fail if postfix is not installed

Previously, SCAP Security Guide (SSG) evaluated Postfix-specific rules independently of the postfix package installed on the system. As a result, SSG reported Postfix-specific rules as fail instead of notapplicable. With the release of the RHBA-2021:4781 advisory, SSG correctly evaluates Postfix-specific rules only if the postfix package is installed, and reports notapplicable if the postfix package is not installed.

Service Disabled rules are no longer ambiguous

Previously, rule descriptions for the Service Disabled type in the SCAP Security Guide provided options for disabling and masking a service but did not specify whether the user should disable the service, mask it, or both.

Fixed Ansible remediations for scap-security-guide GNOME dconf rules

Previously, Ansible remediations for some rules covering the GNOME dconf configuration systems were not aligned with the corresponding OVAL checks. Consequently, Ansible incorrectly remediated the following rules, marking them as failed in subsequent scans:

SELinux no longer blocks PCP from restarting unresponsive PMDAs

Previously, a rule that allows pcp_pmie_t processes to communicate with Performance Metric Domain Agent (PMDA) was missing in the SELinux policy. As a consequence, SELinux denied the pmsignal process to restart unresponsive PMDAs. With this update, the missing rule has been added to the policy, and the Performance Co-Pilot (PCP) can now restart unresponsive PMDAs.

SELinux no longer prevents auditd to halt or power off the system

Previously, the SELinux policy did not contain a rule that allows the Audit daemon to start a power_unit_file_t systemd unit. Consequently, auditd could not halt or power off the system even when configured to do so in cases such as no space left on a logging disk partition.

The chronyd service can now execute shells in SELinux

Previously, the chronyd process, running under chronyd_t, was unable to execute the chrony-helper shell script, because the SELinux policy did not allow chronyd to execute any shell. In this update, the SELinux policy allows the chronyd process to run a shell that is labeled shell_exec_t. As a result, the chronyd service starts successfully under the Multi-Level Security (MLS) policy.

Tang reliably updates its cache

When the Tang application generates its keys, for example, at first installation, Tang updates its cache. Previously, this process was unreliable, and the application cache did not update correctly to reflect Tang keys. This caused problems with using a Tang pin in Clevis, with the client displaying the error message Key derivation key not available. With this update, key generation and cache update logic was moved to Tang, removing the file watching dependency. As a result, the application cache remains in a correct state after cache update.

cupsd now consumes less memory during PPD caching

Previously, the CUPS daemon consumed a lot of memory when many print queues with extensive Postscript Printer Description (PPD) were created. With this update, CUPSD checks if a cached file exists and if it has newer or the same timestamp as the PPD file in /etc/cups/ppd, then it loads the cached file. Otherwise it creates a new cached file based on the PPD file. As a result, the memory consumption lowers by 91% in the described scenario.

tuned no longer hangs on SIGHUP when a non-existent profile is selected

When the tuned service receives the SIGHUP signal, it attempts to reload the profile. Prior to this update, tuned was unable to correctly handle situations when:

tuned no longer applies settings from sysctl.d directories when the reapply_sysctl option is set to 1

Previously, if the reapply_sysctl configuration option was set to 1, the tuned profile applied sysctl settings from the /usr/lib/sysctl.d, /lib/sysctl.d, and /usr/local/lib/sysctl.d directories after applying sysctl settings from a tuned profile. Consequently, settings from these directories would override sysctl settings from the tuned profile. With this update, tuned no longer applies sysctl settings from the mentioned directories when the reapply_sysctl option is set to 1.

LVM volumes on VDO now shut down correctly

Previously, the stacking of block layers on VDO was limited by the configuration of the VDO systemd units. As a result, the system shutdown sequence waited for 90 seconds when it tried to stop LVM volumes stored on VDO. After 90 seconds, the system uncleanly stopped the LVM and VDO volumes.

microdnf no longer fails to retrieve GPG key for custom Satellite repository

Previously, the librhsm library, used internally by microdnf, incorrectly handled relative gpgkey paths, which are used in custom repositories hosted by Satellite. Consequently, when the user ran the microdnf command in a container to install a package signed with GNU Privacy Guard (GPG) from a custom repository through the host’s Satellite subscription, microdnf failed with the following error:

YUM can now install RPM packages signed with GPG keys with revoked subkeys

Previously, the YUM utlity could not install RPM packages signed with GNU Privacy Guard (GPG) keys with revoked subkeys. Consequently, YUM failed with the following error message:

Using cloud-init to create virtual machines with XFS and swap now works correctly

Previously, using the cloud-init utility failed when creating a virtual machine (VM) with an XFS root file system and an enabled swap partition. In addition, the following error message was logged: