Chapter 8. Bug fixes

This part describes bugs fixed in Red Hat Enterprise Linux 9.3 that have a significant impact on users.

8.1. Installer and image creation

The Installer now correctly processes the --proxy option of the url Kickstart command

Previously, the installer did not correctly process the --proxy option of the url Kickstart command. As a consequence, you could not use the specified proxy to fetch the installer image. With this update, the issue is fixed and the --proxy option now works as expected.


The --noverifyssl option for liveimg no longer checks the server’s certificate for images downloaded using HTTPS

Previously, the installer ignored the --noverifyssl option from the liveimg kickstart command. Consequently, if the server’s certificate could not be validated for images downloaded using the HTTPS protocol, the installation process failed. With this update, this issue has been fixed, and the --noverifyssl option of the liveimg kickstart command works as expected.


Anaconda now validates LUKS passphrases for the FIPS requirements

Previously, Anaconda did not check whether the length of LUKS passphrases satisfied the FIPS requirements, even though the underlying tools performed this check. As a consequence, installing in FIPS mode with a passphrase shorter than 8 characters caused the installer to terminate prematurely.

With this update, the installer has been improved to validate and enforce the minimum length for passphrase. As a result, the installer informs if the LUKS passphrase is too short for use in the FIPS mode and prevents the unexpected termination.


The new version of xfsprogs no longer shrinks the size of /boot

Previously, the xfsprogs package with the 5.19 version in the RHEL 9.3 caused the size of /boot to shrink. As a consequence, it caused a difference in the available space on the /boot partition, if compared to the RHEL 9.2 version. This fix increases the /boot partition to 600 MiB for all images, instead of 500 MiB, and the /boot partition is no longer affected by space issues.


8.2. Security

OpenSSL commands cms and smime can encrypt files in FIPS mode

Previously, the default configuration of the cms and smime OpenSSL commands used legacy encryption algorithms, such as 3DES or PKCS #1 v1.5. These algorithms are disabled in FIPS mode. As a result, encrypting files by using the smime command with the default settings did not work on systems in FIPS mode. This update introduces the following changes:

  • In FIPS mode, OpenSSL APIs create CMS data by using OAEP with RSA keys by default.
  • In FIPS mode, the cms OpenSSL command creates CMS files encrypted with aes-128-cbc and OAEP when provided RSA keys.

The use of ECDSA keys is unaffected. In non-FIPS mode, OpenSSL APIs and the cms command continue to use PKCS#1 v1.5 padding and 3DES encryption by default.

As a consequence, you can use the cms and smime OpenSSL commands in FIPS mode to encrypt files.


SELinux allows mail replication in Dovecot

You can configure the Dovecot high-performance mail delivery agent for high availability with two-way replication set, but the SELinux policy previously did not contain rules for the dovecot-deliver utility to communicate over a pipe in the runtime filesystem. As a consequence, mail replication in Dovecot did not work. With this update, permissions have been added to the SELinux policy, and as a result, mail replication in Dovecot works.


Booting from an NFS filesystem now works with SELinux set to enforcing mode

Previously, when using NFS as the root filesystem, SELinux labels were not forwarded from the server, causing boot failures when SELinux was set to enforcing mode.

With this fix, SELinux has been fixed to correctly flag NFS mounts created before the initial SELinux policy load as supporting security labels. As a result, the NFS mount now forwards SELinux labels between the server and the client and the boot can succeed with SELinux set to enforcing mode.


rabbitmq no longer fails with IPv6

Previously, when you deployed rabbitmq server with IPv6 enabled, the inet_gethost command tried to access the /proc/sys/net/ipv6/conf/all/disable_ipv6 file. Consequently, the system denied access to /proc/sys/net/ipv6/conf/all/disable_ipv6. With this update, system can now read /proc/sys/net/ipv6/conf/all/disable_ipv6, and rabbitmq now works with IPv6.


Registration to Insights through cloud-init is no longer blocked by SELinux

Previously, the SELinux policy did not contain a rule that allows the cloud-init script to run the insights-client service. Consequently, an attempt to run the insights-client --register command by the cloud-init script failed. With this update, the missing rule has been added to the policy, and you can register to Insights through cloud-init with SELinux in enforcing mode.


Users in the staff_r SELinux role can now run scap_workbench probes

Previously, the selinux-policy packages did not contain rules for users in the staff_r SELinux role required to run the scap-workbench utility. Consequently, scap-workbench probes failed when run by user in the staff_r SELinux role. With this update, the missing rules have been added to selinux-policy, and SELinux users can now run scap_workbench probes.


Permissions for insights-client added to the SELinux policy

The insights-client service requires permissions that were not in the previous versions of the selinux-policy. As a consequence, some components of insights-client did not work correctly and reported access vector cache (AVC) error messages. This update adds new permissions to the SELinux policy. As a result, insights-client runs correctly without reporting AVC errors.

Jira:RHELPLAN-163014[1], Bugzilla:2224737, Bugzilla:2214581, Bugzilla:2190178, Bugzilla:2207894

Keylime allowlist generation script updated

The Keylime script generates an allowlist for the Keylime policy. In RHEL 9.3, it was replaced with the script, which failed when trying to convert the allowlist to the JSON runtime policy.

With this update, the script was reverted to Now, you can combine the allowlist and excludelist into the JSON runtime policy by using the keylime_create_policy script.


Environment variables can override Keylime agent options with underscores

Previously, when a Keylime agent configuration option name contained an underscore (_), overriding this option through environment variables did not work. With this update, the override through environment variables works correctly even when an option name contains an underscore.


Keylime registrar correctly identifies IPv6 addresses

Previously, the Keylime registrar did not correctly recognize IPv6 addresses, and therefore failed to bind its listening port. With this update, the registrar properly identifies IPv6 addresses and, consequently, binds to its port correctly.


Keylime agent correctly handles IPv6 addresses

Previously, when registering a Keylime agent by using an IPv6 address not enclosed in brackets, [ ], the keylime_tenant utility failed with an error. With this update, keylime_tenant handles IPv6 addresses correctly even when they are not enclosed in brackets.


Keylime no longer fails measured boot attestation due to new events in QEMU VMs

An update of the edk2-ovmf package introduced a new type of events in the measured boot log for virtual systems operated by QEMU. These events caused failures in Keylime measured boot attestation. With this update, Keylime handles these events correctly.


Keylime webhook notifier correctly terminates TLS sessions

Previously, the keylime webhook notifier did not correctly close TLS sessions. This caused warnings being reported on the listener side. This update fixed this issue, and the webhook notifier now correctly terminates TLS sessions.


gpg-agent now works as an SSH agent in FIPS mode

Previously, the gpg-agent tool created MD5 fingerprints when adding keys to the ssh-agent program even though FIPS mode disabled the MD5 digest. As a consequence, the ssh-add utility failed to add the keys to the authentication agent.

With this release, gpg-agent no longer use MD5 checksums. As a result, gpg-agent now works as an SSH authentication agent also on systems running in FIPS mode.


tangd-keygen now handles non-default umask correctly

Previously, the tangd-keygen script did not change file permissions for generated key files. Consequently, on systems with a default user file-creation mode mask (umask) that prevents reading keys to other users, the tang-show-keys command returned the error message Internal Error 500 instead of displaying the keys. With this update, tangd-keygen sets file permissions for generated key files, and therefore the script now works correctly on systems with non-default umask.


fapolicyd service no longer runs programs that are removed from the trusted database

Previously, the fapolicyd service incorrectly handled a program as trusted even after it was removed from the trusted database. As a result, entering the fapolicyd-cli --update command had no effect, and the program could be executed even after being removed. With this update, the fapolicyd-cli --update command correctly updates the trusted programs database, and removed programs can no longer be executed.


fapolicyd no longer causes the system to hang after mount and umount

Previously, when the mount or umount actions were run twice followed by the fapolicyd-cli --update command, the fapolicyd service might enter an endless loop. As a result, the system stopped responding. With this update, the service runs the fapolicyd-cli --update command correctly, and the service handles any number of mount or umount actions.


Keylime now accepts concatenated PEM certificates

Previously, when Keylime received a certificate chain as multiple certificates in the PEM format concatenated in a single file, the keylime-agent-rust Keylime component produced a TLS handshake failure. As a consequence, the client components (keylime_verifier and keylime_tenant) could not connect to the Keylime agent. With this update, keylime-agent-rust correctly handles multiple certificates including intermediary CA certificates. As a result, you can now use concatenated PEM certificates with Keylime.


Rsyslog can start even without capabilities

When Rsyslog is executed as a normal user or in a containerized environment, the rsyslog process has no capabilities. Consequently, Rsyslog in this scenario could not drop capabilities and exited at startup. With this update, the process no longer attempts to drop capabilities if it has no capabilities. As a result, Rsyslog can start even when it has no capabilities.


io_uring now works without SELinux denials

Previously, the io_uring kernel interface missed the map permission in the SELinux policy. Consequently, the mmap system call failed and the io_uring interface did not work properly. With this update, the map permissions have been allowed in SELinux policy and the interface now works without SELinux denials.


oscap-anaconda-addon can now harden Network Servers for CIS

Previously, installing RHEL Network Servers with a CIS security profile (cis, cis_server_l1, cis_workstation_l1, or cis_workstation_l2) was not possible with the Network Servers package group selected. This problem is fixed by excluding the tftp package in oscap-anaconda-addon-2.0.0-17.el9 provided with RHEL 9.3. As a consequence, you can install CIS-hardened RHEL Network Servers with the Network Servers package group.


Rules checking home directories apply only to local users

Multiple compliance profiles provided by the scap-security-guide package contain the following rules that check the correct configuration of user home directories:

  • accounts_umask_interactive_users
  • accounts_user_dot_group_ownership
  • accounts_user_dot_user_ownership
  • accounts_user_interactive_home_directory_exists
  • accounts_users_home_files_groupownership
  • accounts_users_home_files_ownership
  • accounts_users_home_files_permissions
  • file_groupownership_home_directories
  • file_ownership_home_directories
  • file_permissions_home_directories

These rules correctly check the configuration of local users. Previously, the scanner also incorrectly checked the configuration of remote users provided by network sources such as NSS even though the remediation scripts could not change remote users’ configuration. This was because the OpenSCAP scanner previously used the getpwent() system call. This update changes the internal implementation of these rules to depend only on the data from the /etc/passwd file. As a result, the rules now apply only to the local users’ configuration.


Password age rules apply only to local users

Some compliance profiles, for example CIS and DISA STIG, contain the following rules checking password age and password expiration of user account passwords:

  • accounts_password_set_max_life_existing
  • accounts_password_set_min_life_existing
  • accounts_password_set_warn_age_existing
  • accounts_set_post_pw_existing

These rules correctly check the configuration of local users. Previously, the scanner also incorrectly checked the configuration of remote users provided by network sources such as NSS even though the remediation scripts could not change remote users’ configuration. This was because the OpenSCAP scanner previously used the getpwent() system call.

This update changes the internal implementation of these rules to depend only on the data from the /etc/shadow file. As a result, the rules now apply only to the local users’ configuration.


Red Hat CVE feeds have been updated

The version 1 of Red Hat Common Vulnerabilities and Exposures (CVE) feeds at has been sunset and replaced by the version 2 of the CVE feeds located at

Consequently, the links in SCAP source data streams provided by the scap-security-guide package have been updated to link to the new version of the Red Hat CVE feeds.


Rules related to journald configuration no longer add extra quotes

Previously, the SCAP Security Guide rules journald_compress, journald_forward_to_syslog, and journald_storage previously contained a bug in the remediation script which caused adding extra quotes to the respective configuration options in the /etc/systemd/journald.conf configuration file. Consequently, the journald system service failed to parse the configuration options and ignored them. Therefore, the configuration options were not effective. This caused false pass results in OpenSCAP scans. With this update, the rules and remediations scripts no longer add the extra quotes. As a result, these rules now produce a valid configuration for journald.


Files under /var/lib/fdo now get the correct SElinux label

Previously, there was a security issue that allowed the FDO process to access the entire host. With this update, by using the service-info-api server with SElinux, you can add any file to send to the device under the /var/lib/fdo directory, and, as a consequence, the files under /var/lib/fdo will now get the correct SElinux label.


8.3. Subscription management

subscription-manager no longer retains nonessential text in the terminal

Starting with RHEL 9.1, subscription-manager displays progress information while processing any operation. Previously, for some languages, typically non-Latin, progress messages did not clean up after the operation finished. With this update, all the messages are cleaned up properly when the operation finishes.

If you have disabled the progress messages before, you can re-enable them by entering the following command:

# subscription-manager config --rhsm.progress_messages=1


8.4. Software management

The dnf needs-restarting -s command now correctly displays the list of systemd services

Previously, when you used the needs-restarting command with the -s or --services option, an error occurred when a non-systemd or malfunctioning process was detected. With this update, the dnf needs-restarting -s command ignores such processes and displays a warning instead with the list of affected systemd services.


The dnf-automatic command now correctly reports the exit status of transactions

Previously, the dnf-automatic command returned a successful exit code of a transaction even if some actions during this transaction were not successfully completed. This could cause a security risk on machines that use dnf-automatic for automatic deployment of errata. With this update, the issue has been fixed and dnf-automatic now reports every problem with packages during the transaction.


Installing packages with IMA signatures on file systems without extended file attributes no longer fails

Previously, RPM tried to apply IMA signatures to files even if they did not support these signatures. As a consequence, package installation failed. With this update, RPM skips applying IMA signatures. As a result, package installation no longer fails.


8.5. Shells and command-line tools

The rsyslog logging service now starts at boot of the rescue system

Previously, the rsyslog service for message logging did not automatically start in the rescue system. The /dev/log socket kept receiving messages during the recovery process with no service listening at this socket. Consequently, the /dev/log socket was filled with messages and caused the recovery process to be stuck. For example, the grub2-mkconfig command to regenerate the GRUB configuration produces a high amount of log messages depending on the number of mounted file systems. If you used ReaR to recover systems with many mounted file systems, numerous log messages would fill the /dev/log socket, and the recovery process froze.

With this fix, the systemd units in the rescue system now include the sockets target in the boot procedure to start the logging socket at boot. As a result, the rsyslog service starts in the rescue environment when required, and the processes that need to log messages during recovery are no longer stuck. The recovery process completes successfully and you can find the log messages in the /var/log/messages file in the rescue RAM disk.


The which command no longer fails for a long path

Previously, when you executed the which command in a directory with a path longer than 256 characters, the command failed with the Can’t get current working directory error message. With this fix, the which command now uses the PATH_MAX value for the path length limit. As a result, the command no longer fails.


ReaR now supports UEFI Secure Boot with OUTPUT=USB

Previously, the OUTPUT=USB ReaR output method, which stores the rescue image on a bootable disk drive, did not respect the SECURE_BOOT_BOOTLOADER setting. Consequently, on systems with UEFI Secure Boot enabled, the disk with the rescue image would not boot because the bootloader was not signed.

With this fix, the OUTPUT=USB ReaR output method now uses the bootloader that you specify in the SECURE_BOOT_BOOTLOADER setting when creating the rescue disk. To use the signed UEFI shim bootloader, change the following setting in the /etc/rear/local.conf file:


As a result, the rescue disk is bootable when UEFI Secure Boot is enabled. It is safe to set the variable to this value on all systems with UEFI, even when Secure Boot is not enabled. It is even recommended for consistency. For details about the UEFI boot procedure and the shim bootloader, see UEFI: what happens when booting the system.


System recovered by ReaR no longer fails to mount all VG logical volumes

The /etc/lvm/devices/system.devices file represents the Logical Volume Manager (LVM) system devices and controls device visibility and usability to LVM. By default, the system.devices feature is enabled in RHEL 9 and when active, it replaces the LVM device filter.

Previously, when you used ReaR to recover the systems to disks with hardware IDs different than those the original system used, the recovered system did not find all LVM volumes and failed to boot. With this fix, if ReaR finds the system.devices file, ReaR moves this file to /etc/lvm/devices/system.devices.rearbak at the end of recovery. As a result, the recovered system does not use the LVM devices file to restrict device visibility and the system finds the restored volumes at boot.

Optional: If you want to restore the default behavior and regenerate the LVM devices file, use the vgimportdevices -a command after booting the recovered system and connecting all disk devices needed for a normal operation, in case you disconnected any disks before the recovery process.


8.6. Networking

Intel Corporation I350 Gigabit Fiber Network Connection now provides a link after kernel update

Previously, hardware configurations with Small Formfactor Pluggable (SFP) transceiver modules without External Thermal Sensor (ETS) caused the igb driver to erroneously initialize the Inter-Integrated Circuit (I2C) to read ETS. As a consequence, connections did not obtain links. With this bug fix, the igb driver only initializes I2C when SFP with ETS is available. As a result, connections obtain links.


The nm-cloud-setup service no longer removes manually-configured secondary IP addresses from interfaces

Based on the information received from the cloud environment, the nm-cloud-setup service configured network interfaces. While you had the option to disable nm-cloud-setup for manual interface configuration, certain scenarios led to conflicts. In some cases, other services on the host would independently configure interfaces, including the addition of secondary IP addresses. nm-cloud-setup incorrectly removed these secondary IP addresses when triggered again by the systemd timer unit. This update for the NetworkManager package fixes the problem. You only need to wait for the systemd timer unit to trigger nm-cloud-setup. If you do not want to wait for the timer, you can enable nm-cloud-setup manually with the following command:

# systemctl enable nm-cloud-setup.service

As a result, nm-cloud-setup no longer removes manually-configured secondary IP addresses from interfaces.


The xdp-loader features command has been fixed

The xdp-loader features command has been fixed with this version of xdp-tools and can now correctly display the available XDP features of an interface.


8.7. Kernel

RHEL previously failed to recognize NVMe disks when VMD was enabled

When you reset or reattached a driver, the Volume Management Device (VMD) domain previously did not soft-reset. Consequently, the hardware could not properly detect and enumerate its devices. With this update, the operating system with VMD enabled now correctly recognizes NVMe disks, especially when resetting a server or working with a VM machine.


8.8. Boot loader

GRUB now correctly handles non-debug kernel variants

Previously, in systems with multiple kernel RPMs installed, entering the dnf install kernel-$VERSION or dnf update commands set the last-installed kernel as the default kernel. This occurred, for example, in systems with the standard kernel and real-time kernel on AMD and Intel 64-bit architectures, or kernel (4k) and kernel-64k on 64-bit ARM architecture. As a consequence, the system could boot into the undesired kernel on future reboots. With this update, GRUB uses the DEFAULTKERNEL variable in the /etc/sysconfig/kernel configuration file, and the default kernel remains the proper variant and latest version.

For more information, see the Changing the default kernel in Red Hat Enterprise Linux 8 & 9 solution.


8.9. File systems and storage

The lpfc driver is in a valid state during the D_ID port swap

Previously, the SAN Boot host, after issuing the NetApp giveback operation, resulted in LVM hung task warnings and stalled I/O. This problem occurred even when alternate paths were available in a DM-Multipath environment due to the fiber channel D_ID port swap. As a consequence of the race condition, the D_ID port swap resulted in an inconsistent state in the lpfc driver, which prevented I/O from being issued.

With this fix, the lpfc driver now ensures a valid state when the D_ID port swap occurs. As a result, a fiber channel D_ID port swap does not cause hung I/O.


multipathd adds the persistent reservation registration key to all paths

Previously, when the multipathd daemon started and it recognized a registration key for the persistent reservations on one path of an existing multipath device, not all paths of that device had the registration key. As a consequence, if new paths appeared to a multipath device with persistent reservations while multipathd was stopped, persistent reservations were not set up on those. This allowed IO processing on the paths, even if they were supposed to be forbidden by the reservation key.

With this fix, if multipathd finds a persistent reservation registration key on any device path, it adds the key to all active paths. As a result, multipath devices now have persistent reservations set up correctly on all the paths, even if path devices first appear while multipathd is not running.


LUNs are now visible during the OS installation

Previously, the system was not using the authentication information from firmware sources, specifically in cases involving iSCSI hardware offload with CHAP (Challenge-Handshake Authentication Protocol) authentication stored in the iSCSI iBFT (Boot Firmware Table). As a consequence, the iSCSI login failed during installation.

With the fix in the udisks2-2.9.4-9.el9 firmware authentication, this issue is now resolved and LUNs are visible during the installation and initial boot.


8.10. High availability and clusters

The pcs config checkpoint diff command now works correctly for all configuration sections

As of the RHEL 9.0 release, the pcs config checkpoint diff command had stopped showing the differences for the following configuration sections: Fencing Levels, Ordering Constraints, Colocation Constraints, Ticket Constraints, Resources Defaults, and Operations Defaults. As of the RHEL 9.1 release, the pcs config checkpoint diff command had stopped showing the differences for the Resources and Stonith devices configuration sections. This is because as the code responsible for displaying each of the different configuration sections switched to a new mechanism for loading CIB files, the loaded content was cached. The second file used for the difference comparison was not loaded and the cached content of the first file was used instead. As a result, the diff command yielded no output. With this fix, the CIB file content is no longer cached and the pcs config checkpoint diff command shows differences for all configuration sections.


pcsd Web UI now displays cluster status when fence levels are configured

Previously, the pcsd Web UI did not display cluster status when fence levels were configured. With this fix, you can now view the cluster status and change the cluster settings with the Web UI when fence levels are configured.


A fence watchdog configured as a second fencing device now fences a node when the first device times out

Previously, when a watchdog fencing device was configured as the second device in a fencing topology, the watchdog timeout would not be considered when calculating the timeout for the fencing operation. As a result, if the first device timed out the fencing operation would time out even though the watchdog would fence the node. With this fix, the watchdog timeout is included in the fencing operation timeout and the fencing operation succeeds if the first device times out.


Location constraints with rules no longer displayed when listing is grouped by nodes

Location constraints with rules cannot have a node assigned. Previously, when you grouped the listing by nodes, location constraints with rules were displayed under an empty node. With this fix, the location constraints with rules are no longer displayed and a warning is given indicating that constraints with rules are not displayed.


pcs command to update multipath SCSI devices now works correctly

Due to changes in the Pacemaker CIB file, the pcs stonith update-scsi-devices command stopped working as designed, causing an unwanted restart of some cluster resources. With this fix, this command works correctly and updates SCSI devices without requiring a restart of other cluster resources running on the same node.


Memory footprint of pcsd-ruby daemon now reduced when pscd Web UI is open

Previously, when the pcsd Web UI was open, memory usage of the pcsd-ruby daemon increased steadily over the course of several hours. With this fix, the web server that runs in the pcsd-ruby daemon now periodically performs a graceful restart. This frees the allocated memory and reduces the memory footprint.


The azure-events-az resource agent no longer produces an error with Pacemaker 2.1 and later

The azure-events-az resource agent executes the crm_simulate -Ls command and parses the output. With Pacemaker 2.1 and later, the output of the crm_simulate command no longer contains the text Transition Summary:, which resulted in an error. With this fix, the agent no longer yields an error when this text is missing.


The mysql resource agent now works correctly with promotable clone resources

Previously, the mysql resource agent moved cloned resources that were operating in a Promoted role between nodes, due to promotion scores changing between promoted and non-promoted values. With this fix, a node in a Promoted role remains in a Promoted role.


The fence_scsi agent is now able to auto-detect shared lvmlockd devices

Previously, the fence_scsi agent did not auto-detect shared lvmlockd devices. With this update, fence_scsi is able to auto-detect lvmlockd devices when the devices attribute is not set.


8.11. Compilers and development tools

The glibc system() function now restores the previous signal mask unconditionally

Previously, if the glibc system() function was called concurrently from multiple threads, the signal mask for the SIGCHLD signal might not be restored correctly. As a consequence, the SIGCHLD signal remained blocked after the return from the glibc system() function on some threads.

With this update, the glibc system() function now restores the previous signal mask unconditionally, even when parallel system() function calls are running. As a result, the SIGCHLD signal is no longer incorrectly blocked if the glibc system() function is called concurrently from multiple threads.


eu-addr2line -C now correctly recognizes other arguments

Previously, when you used the -C argument in eu-addr2line command from elfutils, the following single character argument disappeared. Consequently, the eu-addr2line -Ci command behaved the same way as eu-addr2line -C while eu-addr2line -iC worked as expected. This bug has been fixed, and eu-addr2line -Ci now recognizes both arguments.


eu-addr2line -i now correctly handles code compiled with GCC link-time optimization

Previously, the dwarf_getscopes function from the libdw library included in elfutils was unable to find an abstract origin definition of a function that was compiled with GCC link-time optimization. Consequently, when you used the -i argument in the eu-addr2line command, eu-addr2line was unable to show inline functions for code compiled with gcc -flto. With this update, the libdw dwarf_getscopes function looks in the correct compile unit for the inlined scope, and eu-addr2line -i works as expected.


Programs using papi no longer abort when shutting down

Previously, papi initialized threads before papi initialized some components. Because of this, entries for certain components describing the number of elements in arrays were not set to correct values and zero-sized memory allocations were attempted. As a consequence, later accesses and frees of those zero-sized memory allocations caused the programs to abort.

The bug has been fixed and programs using papi no longer abort when shutting down.


The OpenJDK XML signature provider is now functional in FIPS mode

Previously, the OpenJDK XML signature provider was unable to operate in FIPS mode. As a result of enhancements to FIPS mode support the OpenJDK XML signature provider is now enabled in FIPS mode.


8.12. Identity Management

Paged searches from a regular user now do not impact performance

Previously, when Directory Server was under the search load, paged searches from a regular user could impact the server performance because a lock conflicted with the thread that polls for network events. In addition, if a network issue occurred while sending the page search, the whole server was unresponsive until the nsslapd-iotimeout parameter expired. With this update, the lock was split into several parts to avoid the contention with the network events. As a result, no performance impact during paged searches from a regular user.


Schema replication now works correctly in Directory Server

Previously, when Directory Server replicated a schema to a new server, it added all the schema to the 99user.ldif file on the remote replica. It looked like it was all custom schema because X-ORIGIN keyword was set to user defined for all definitions. As a result, it could cause issues with the web console and possibly for customers who monitor the schema and expect the X-ORIGIN keyword to have specific values. With this update, schema replication works as expected.


Referral mode is now working correctly in Directory Server

Previously, CLI set nsslapd-referral configuration attribute to the backend and not to the mapping tree. As a result, referral mode did not work. With this update, the nsslapd-referral attribute is set correctly and the referral mode works as expected.


The LMDB import now works faster

Previously, to build the entryrdn index, LMDB import worker threads waited for other worker threads to ensure that the parent entry was processed. This generated lock contention that drastically slowed import. With this update, the LDIF import over LMDB database was redesigned and the provider thread stores the data about the entry RDN and its parents in a temporary database that the worker thread uses to build the entryrdn index. As a result, worker threads synchronization is no longer needed and the average import rate is better.

Note that the LMDB import still has an import rate three times slower than the BDB import because LMDB does not support concurrent write transactions.


The dirsrv service now starts correctly after reboot

Previously, dirsrv service could fail to start after reboot because dirsrv service did not explicitly wait for systemd-tmpfiles-setup.service to finish. This led to a race condition. With this update, dirsrv service waits for the systemd-tmpfiles-setup.service to finish and no longer fail to start after reboot.


Changing a security parameter now works correctly

Previously, when you changed a security parameter by using the dsconf instance_name security set command, the operation failed with the error:

Name 'log' is not defined

With this update, the security parameter change works as expected.


SSSD now uses sAMAccountName when evaluating GPO-based access control

Previously, if ldap_user_name was set to a value other than sAMAccountName on an AD client, GPO-based access control failed. With this update, SSSD now always uses sAMAccountName when evaluating GPO-based access control. Even if ldap_user_name is set to a value different from sAMAccountName on an AD client, GPO-based access control now works correctly.


SSSD now handles duplicate attributes in the user_attributes option when retrieving users

Previously, if sssd.conf contained duplicate attributes in the user_attributes option, SSSD did not handle these duplicates correctly. As a consequence, users with those attributes could not be retrieved. With this update, SSSD now handles duplicates correctly. As a result, users with duplicate attributes can now be retrieved.


The dynamic Kerberos PAC ticket signature enforcement mechanism now fixes cross-version incompatibility in IdM

Previously, if your Identity Management (IdM) deployment featured servers running on both RHEL 9 and RHEL 8, the incompatibility caused by the upstream implementation of the Privilege Attribute Certificate (PAC) ticket signature support caused certain operations to fail. With this update, the implementation of the dynamic ticket signature enforcement mechanism feature in RHEL 9 fixes this cross-version incompatibility. For this feature to actually take effect, you must:

  1. Update all the servers in the domain.
  2. Restart all the IdM Kerberos Distribution Center (KDC) services.

The order of these two actions is important. When starting, the KDCs query the metadata of all the other servers in the domain to check if they all support the PAC ticket signature. If this is not the case, the signature will not be enforced.

For more information about the dynamic Kerberos PAC ticket signature enforcement mechanism, including an example of a constrained delegation request, see this Knowledgebase article.

Jira:RHELDOCS-17011[1], Bugzilla:2182683, Bugzilla:2178298

Deleting the IdM admin user is now no longer permitted

Previously, nothing prevented you from deleting the Identity Management (IdM) admin user if you were a member of the admins group. The absence of the admin user caused the trust between IdM and Active Directory (AD) to stop functioning correctly. With this update, you can no longer delete the admin user. As a result, the IdM-AD trust works correctly.


The IdM client installer no longer specifies the TLS CA configuration in the ldap.conf file

Previously, the IdM client installer specified the TLS CA configuration in the ldap.conf file. With this update, OpenLDAP uses the default trust store and the IdM client installer does not set up the TLS CA configuration in the ldap.conf file.


8.13. The web console

The web console NBDE binding steps now work also on volume groups with a root file system

In RHEL 9.2, due to a bug in the code for determining whether or not the user was adding a Tang key to the root file system, the binding process in the web console crashed when there was no file system on the LUKS container at all. Because the web console displayed the error message TypeError: Qe(…​) is undefined after you had clicked the Trust key button in the Verify key dialog, you had to perform all the required steps in the command-line interface in the described scenario.

With this update, the web console correctly handles additions of Tang keys to root file systems. As a result, the web console finishes all binding steps required for the automated unlocking of LUKS-encrypted volumes using Network-Bound Disk Encryption (NBDE) in various scenarios.


VNC console now works at most resolutions

Previously, when using the Virtual Network Computing (VNC) console under certain display resolutions, a mouse offset problem was present or only a part of the interface was visible. Consequently, using the VNC console was not possible.

With this update, the problem has been fixed and the VNC console works correctly at most resolutions, with the exception of ultra high resolutions, such as 3840x2160.

Note that a small offset between the recorded and displayed positions of the cursor might still be present. However, this does not significantly impact the usability of the VNC console.


8.14. Red Hat Enterprise Linux System Roles

The storage role can now resize the mounted file systems without unmounting

Previously, the storage role was unable to resize mounted devices, even if the file system supported online resizing. As a consequence, the storage role unmounted all file systems prior to resizing, which failed for file systems that were in use, for example, while resizing the / directory of the running system.

With this update, the storage role now supports resizing mounted file systems that support online resizing such as XFS and Ext4. As a result, the mounted file systems can now be resized without unmounting them.


The podman_registries_conf variable now configures unqualified-search-registries field correctly

Previously, after configuring the podman_registries_conf variable, the podman RHEL System Role failed. Consequently, unqualified-search-registries = [""] setting was not generated in the /etc/containers/registries.conf.d/50-systemroles.conf file. With this update, this problem has been fixed.


The kdump role adds authorized_keys idempotently

Previously, the task to add authorized_key added an extra newline character every time. Consequently the role was not acting idempotent. With this fix, adding a new authorized_key works correctly and adds only a single key value idempotently.


The kdump system role does not fail if kdump_authorized_keys is missing

Previously, the kdump system role failed to add SSH authorized keys if the user defined in the kdump_ssh_user variable did not have access to the .ssh directory in the home directory or an empty .ssh/authorized_keys file. With this fix, the kdump system role now correctly adds authorized keys to the SSH configuration. As a result, the key based authentication works reliably in the described scenario.


Failure to remove data from member disks before creation no longer persists

Previously, when creating RAID volumes, the system did not effectively eliminate existing data from member disks before forming the RAID volume. With this update, RAID volumes remove any per-existing data from member disks as needed.


Running the firewall RHEL System Role in check mode with non-existent services no longer fails

Previously, running the firewall role in check mode with non-existent services would fail. This fix implements better compliance with Ansible best practices for check mode. As a result, non-existent services being enabled or disabled no longer fails the role in check mode. Instead, a warning prompts you to confirm that the service is defined in a previous playbook.


The firewall RHEL System Role on RHEL 7 no longer attempts to install non-existent Python packages

Previously, when the firewall role on RHEL 7 was called from another role, and that role was using python3, the firewall role attempted to install the python3-firewall library for that version of Python. However, that library is not available in RHEL 7. Consequently, the python3-firewall library was not found, and you received the following error message:

No package matching 'python3-firewall' found available, installed or updated

With this update, the firewall role does not attempt to install the python-firewall or python3-firewall library. As a result, the firewall role does not fail on RHEL 7 when python3 is installed on the managed node.


kdump RHEL System Role updates

The kdump RHEL System Role has been updated to a newer version, which brings the following notable enhancements:

  • After installing kexec-tools, the utility suite no longer generates the /etc/sysconfig/kdump file because you do not need to manage this file anymore.
  • The role supports the auto_reset_crashkernel and dracut_args variables.

For more details, see resources in the /usr/share/doc/rhel-system-roles/kdump/ directory.


Insights tags created by using the rhc role are now applied correctly

Previously, when you created Insights tags by using the rhc role, tags were not stored in the correct file. Consequently, tags were not sent to Insights and as a result they were not applied to the systems in the Insights inventory.

With this fix, tags are stored correctly and applied to the systems present in the Insights inventory.


raid_chunk_size parameter no longer returns an error message

Previously, raid_chunk_size attribute was not allowed for RAID pools and volumes. With this update, you can now configure the raid_chunk_size attribute for RAID pools and volumes without encountering any restrictions.


The certificate RHEL System Role now checks for the certificate key size when determining whether to perform a new certificate request

Previously, the certificate RHEL System Role did not check the key size of a certificate when evaluating whether to request a new certificate. As a consequence, the role sometimes did not issue new certificate requests in cases where it should. With this update, certificate now checks the key_size parameter to determine if a new certificate request should be performed.


The kdump role adds multiple keys to authorized_keys idempotently

Previously, adding multiple SSH keys to the authorized_keys file at the same time replaced the key value of one host by another. This update fixes the problem by using the lineinfile module to manage the authorized_keys file. lineinfile iterates the tasks in sequence, checking for an existing key and writing the new key in one atomic operation on a single host at one time. As a result, adding SSH keys on multiple hosts works correctly, and does not replace the key value from another host.

Note: Use the serial: 1 play serial keyword at play level to control the number of hosts executing at one time.


The kdump role successfully updates .ssh/authorized_keys for kdump_ssh_server authentication

Previously, the .ssh directory was not accessible by the kdump role to securely authenticate users to log into kdump_ssh_server. As a consequence, the kdump role did not update the .ssh/authorized_keys file and the SSH mechanism to verify the kdump_ssh_server failed. This update fixes the problem. As a result the kdump_ssh_user authentication on kdump_ssh_server works reliably.


Enabling kdump for system role requires using the failure_action configuration parameter on RHEL 9 and later versions

Previously, using the default option during kdump configuration was not successful and printed the following warning in logs:

kdump: warning: option 'default' was renamed 'failure_action' and will be removed in the future.
please update /etc/kdump.conf to use option 'failure_action' instead.

Consequently, the role did not enable kdump successfully if default option was used. This update fixes the problem and you can configure kernel dump parameters on multiple systems by using the failure_action parameter. As a result, enabling kdump works successfully in the described scenario.


The previous: replaced parameter of the firewall System Role now overrides the previous configuration without deleting it

Previously, if you added the previous: replaced parameter to the variable list, the firewall System Role removed all existing user-defined settings and reset firewalld to the default settings. This fix uses the fallback configuration in firewalld, which was introduced in the EL7 release, to retain the previous configuration. As a result, when you use the previous: replaced parameter in the variable list, the firewall.conf configuration file is not deleted on reset, but the file and comments in the file are retained.


The firewall RHEL System Role correctly reports changes when using previous: replaced in check mode

Previously, the firewall role was not checking whether any files would be changed when using the previous: replaced parameter in check mode. As a consequence, the role gave an error about undefined variables. This fix adds new check variables to the check mode to assess whether any files would be changed by the previous: replaced parameter. The check for the firewalld.conf file assesses the rpm database to determine whether the file has been changed from the version shipped in the package. As a result, the firewall role now correctly reports changes when using the previous: replaced parameter.


The firewall RHEL System Role correctly reports changes when assigning zones to Network Manager interfaces

Previously, the Network Manager interface assignment reported changes when no changes were present. With this fix, the try_set_zone_of_interface module in the file library/ returns a second value, which denotes whether the interface’s zone was changed. As a result, the module now correctly reports changes when assigning zones to interfaces handled by Network Manager.


The rhc system role no longer fails on the registered systems when rhc_auth contains activation keys

Previously, a failure occurred when you executed playbook files on the registered systems with the activation key specified in the rhc_auth parameter. This issue has been resolved. It is now possible to execute playbook files on the already registered systems, even when activation keys are provided in the rhc_auth parameter.


8.15. Virtualization

The NVIDIA graphics device continues working after VM shutdown

Previously, in the RHEL kernel, device power transition delays were more closely aligned to those required by the PCIe specification. As a consequence, some NVIDIA GPUs could become unresponsive when used for device assignment after a shutdown of the attached VM. This update extends the device power transition delay for NVIDIA audio device functions. As a result, NVIDIA GPUs continue to work correctly in this scenario.


Failover virtio NICs are now correctly assigned an IP address on Windows virtual machines

Previously, when starting a Windows virtual machine (VM) with only a failover virtio NIC, the VM failed to assign an IP address to the NIC. Consequently, the NIC was unable to set up a network connection. This problem has been fixed and VM NICs now set up network connections as expected in the described scenario.


The installer shows the expected system disk to install RHEL on VM

Previously, when installing RHEL on a VM using virtio-scsi devices, it was possible that these devices did not appear in the installer because of a device-mapper-multipath bug. Consequently, during installation, if some devices had a serial set and some did not, the multipath command was claiming all the devices that had a serial. Due to this, the installer was unable to find the expected system disk to install RHEL in the VM.

With this update, multipath correctly sets the devices with no serial as having no World Wide Identifier (WWID) and ignores them. On installation, multipath only claims devices that multipathd uses to bind a multipath device, and the installer shows the expected system disk to install RHEL in the VM.


Broadcom network adapters now work correctly on Windows VMs after a live migration

Previously, network adapters from the Broadcom family of devices, such as Broadcom, Qlogic, or Marvell, could not be hot-unplugged during live migration of Windows virtual machines (VMs). As a consequence, the adapters worked incorrectly after the migration was complete. This problem affected only adapters that were attached to Windows VMs using Single-root I/O virtualization (SR-IOV). With this update, the underlying code has been fixed and the problem no longer occurs.

Jira:RHEL-910, Bugzilla:2091528, Bugzilla:2111319

nodedev-dumpxml lists attributes correctly for certain mediated devices

Prior to this update, the nodedev-dumpxml utility did not list attributes correctly for mediated devices that were created using the nodedev-create command. This has been fixed, and nodedev-dumpxml now displays the attributes of the affected mediated devices properly.


virtiofs devices could not be attached after restarting virtqemud or libvirtd

Previously, restarting the virtqemud or libvirtd services prevented virtiofs storage devices from being attached to virtual machines (VMs) on your host. This bug has been fixed, and you can now attach virtiofs devices in the described scenario as expected.


Hot plugging a Watchdog card to a virtual machine no longer fails

Previously, if no PCI slots were available, adding a Watchdog card to a running virtual machine (VM) failed with the following error:

Failed to configure watchdog
ERROR Error attempting device hotplug: internal error: No more available PCI slots

With this update, the problem has been fixed and adding a Watchdog card to a running VM now works as expected.


blob resources do not work correctly for virtio-gpu on IBM Z

The virtio-gpu device is currently not compatible with blob memory resources on IBM Z systems. As a consequence, if you configure a virtual machine (VM) with virtio-gpu on an IBM Z host to use blob resources, the VM does not have any graphical output.