2.11. Security and Access Control
2.11.1. New firewall (firewalld)
firewalld, and its configuration tools: firewall-config, firewall-cmd, and firewall-applet, which is not included in the default installation of Red Hat Enterprise Linux 7.
firewalldis dynamic, changes to its configuration can be made at any time, and are implemented immediately. No part of the firewall needs to be reloaded, so there is no unintentional disruption of existing network connections.
- Firewalld configuration details are not stored in
/etc/sysconfig/iptables. Instead, configuration details are stored in various files in the
- Where the firewall system in Red Hat Enterprise Linux 6 removed and re-applied all rules every time a configuration change was made,
firewalldonly applies the configuration differences. As a result,
firewalldcan change settings during runtime without losing existing connections.
22.214.171.124. Migrating rules to firewalld
ip6tablesinstead of moving to
firewalldand continue using
ip6tablesare available here: https://access.redhat.com/articles/1229233.
- Use the graphical system-config-firewall tool to configure rules. This tool stored its configuration details in the
/etc/sysconfig/system-config-firewallfile, and created configuration for the
ip6tablesservices in the
- Manually edit the
/etc/sysconfig/ip6tablesfiles (either from scratch, or editing an initial configuration created by system-config-firewall).
/etc/sysconfig/system-config-firewallinto the default zone of
/etc/sysconfig/ip6tables, after you install firewalld, you must either create a new configuration with firewall-cmd or firewall-config, or disable
firewalldand continue to use the old
ip6tablesservices. For details about creating new configurations or disabling
firewalld, see the Red Hat Enterprise Linux 7 Security Guide, available from http://access.redhat.com/site/documentation/Red_Hat_Enterprise_Linux/.
2.11.2. Changes to PolicyKit
.rulesfiles in lexicographic order from the
/usr/share/polkit-1/rules.ddirectories. If two files share the same name, files in
/etcare processed before files in
/usr. When the old
.pklafiles were processed, the last rule processed took precedence. With the new
.rulesfiles, the first matching rule takes precedence.
/etc/polkit-1/rules.d/49-polkit-pkla-compat.rulesfile. They can therefore be overridden by
.rulesfiles in either
/etcwith a name that comes before
49-polkit-pkla-compatin lexicographic order. The simplest way to ensure that your old rules are not overridden is to begin the name of all other
.rulesfiles with a number greater than 49.
2.11.3. Changes to user identifiers
500. In Red Hat Enterprise Linux 7, the base user identifier is now
1000. This change involves replacing the
/etc/login.defsfile during the upgrade process.
/etc/login.defsfile, the file is replaced during upgrade. The base user identifier number is changed to
1000, and new users will be allocated user identifiers at and above 1000. User accounts created before this change retain their current user identifiers and continue to work as expected.
/etc/login.defsfile, the file is not replaced during upgrade, and the base user identifier number remains at 500.
2.11.4. Changes to libuser
libuserlibrary no longer supports configurations that contain both the
filesmodules, or both the
shadowmodules. Combining these modules results in ambiguity in password handling, and such configurations are now rejected during the initialization process.
libuserto manage users or groups in LDAP, you must remove the
shadowmodules from the
create_modulesdirectives in your configuration file (
2.11.5. Changes to opencryptoki key store
Update softwareEnsure your version of opencryptoki is up to date.
# yum update -y opencryptoki
Verify the slot number of your tokenUse
pkcsconfto determine the slot number of the token. Run the following commands as root:
# pkcsconf -s # pkcsconf -tNote the slot number of your token. The slot description will end with
(CCA). The information field will identify the token as the
IBM CCA Token.
Stop interface accessStop the
pkcsslotdservice and any
# systemctl stop pkcsslotd.serviceUse the following command to identify processes to stop with the
killutility, and then terminate the appropriate processes.
# ps ax | grep pkcsslotd
Back up the data storeBefore you migrate, back up the CCA data store (the directory in which your tokens are stored, normally
/var/lib/opencryptoki/ccatok). For example, make a copy of the directory.
# cp -r /var/lib/opencryptoki/ccatok /var/lib/opencryptoki/ccatok.backup
Run the migration utilityChange to the
/var/lib/opencryptoki/ccatokdirectory and run the migration utility.
# cd /var/lib/opencryptoki/ccatok # pkcscca -m v2objectsv3 -vWhen prompted, provide your Security Officer (SO) PIN and User PIN.
Remove outdated shared memory fileRemove the
/dev/shm/var.lib.opencryptoki.ccatokfile manually, or reboot the system.
# rm /dev/shm/var.lib.opencryptoki.ccatok
Go back to an operational interface accessStart the
# systemctl start pkcsslotd.service
- Ensure you are running the commands as root, and that root is a member of the
- Ensure that the
pkcsconfutility is in either the
/usr/lib/pkcs11/methods/directory or the
- Ensure that the token data store is in the
- Ensure that you have supplied a slot number and that the slot number is correct.
- Ensure that your Security Officer (SO) PIN and User PIN are correct.
- Ensure that you have write access to the current directory.