Chapter 32. Security
Configurations that depend on chrooting in user-non-searchable paths now work properly
In Red Hat Enterprise Linux 7.3, the
chroot
process in the OpenSSH
tool had been changed to help harden the SELinux system policy, and root UID was dropped before performing chroot
. Consequently, existing configurations that depend on chrooting in user-non-searchable paths stopped working. With this update of the openssh packages, the change has been reverted. Additionally, the problem has been fixed in the SELinux system policy by allowing confined users to use OpenSSH chroot
if the administrator enables the selinuxuser_use_ssh_chroot
boolean. The described configurations now work in the same way as in Red Hat Enterprise Linux 7.2. (BZ#1418062)
firewalld
now supports all ICMP types
Previously, the Internet Control Message Protocol (ICMP) type list was not complete. As a consequence, some ICMP types such as
packet-too-big
could not be blocked or allowed. With this update, support for additional ICMP types has been added, and the firewalld
service daemon now allows to handle all ICMP types. (BZ#1401978)
docker.pp
replaced with container.pp
in selinux-policy
Prior to this update, the
container.te
file in the container-selinux package contained Docker interfaces, which point to the equivalent container interfaces, and also the docker.if
file. Consequently, when compiling the container.te
file, the compiler warned about duplicate interfaces. With this update, the docker.pp
file in the selinux-policy package has been replaced with the container.pp
file, and the warning no longer occurs in the described scenario. (BZ#1386916)
Recently-added kernel classes and permission defined in selinux-policy
Previously, several new classes and permissions had been added to the kernel. As a consequence, these classes and permissions that were not defined in the system policy caused SELinux denials or warnings. With this update, all recently-added kernel classes and permissions have been defined in the selinux-policy package, and the denials and warnings no longer occur. (BZ#1368057)
nss now properly handles PKCS#12 files
Previously, when using the
pk12util
tool to list certificates in a PKCS#12 file with strong ciphers using PKCS#5 v2.0 format, there was no output. Additionally, when using pk12util
to list certificates in a PKCS#12 file with the SHA-2 Message Authentication Code (MAC), a MAC error was reported, but no certificates were printed. With this update, importing and exporting PKCS#12 files has been changed to be compatible with the OpenSSL
handling, and PKCS#12 files are now processed properly in the described scenarios. (BZ#1220573)
OpenSCAP
now produces only useful messages and warnings
Previously, default scan output settings have been changed, and debug messages were also printed to standard output. As a consequence, the
OpenSCAP
output was full of errors and warnings. The output was hard to read and the SCAP Workbench
was unable to handle those messages, too. With this update, the change of default output setting has been reverted, and OpenSCAP
now produces useful output. (BZ#1447341)
AIDE
now logs in the syslog
format
With this update, the
AIDE
detection system with the syslog_format
option logs in the rsyslog
-compatible format. Multiline logs cause problems while parsing on the remote rsyslog
server. With the new syslog_format
option, AIDE
is now able to log with every change logged as a single line. (BZ#1377215)
Installations with the OpenSCAP
security-hardening profile now proceed
Prior to this update, typos in the scap-security-guide package caused the
Anaconda
installation program to exit and restart a machine. Consequently, it was not possible to select any of the security-hardened profiles such as Criminal Justice Information Services (CJIS) during the Red Hat Enterprise Linux 7.4 installation process. The typos have been fixed, and installations with the OpenSCAP
security-hardening profile now proceed. (BZ#1450731)
OpenSCAP and SSG are now able to scan RHV-H systems correctly
Previously, using the OpenSCAP and SCAP Security Guide (SSG) tools to scan a Red Hat Enterprise Linux system working as a Red Hat Virtualization Host (RHV-H) returned
Not Applicable
results. With this update, OpenSCAP and SSG correctly identify RHV-H as Red Hat Enterprise Linux, which enables OpenSCAP and SSG to scan RHV-H systems properly. (BZ#1420038)
OpenSCAP
now handles also uncompressed XML files in a CVE OVAL feed
Previously, the
OpenSCAP
tool was able to handle only compressed CVE OVAL files from a feed. As a consequence, the CVE OVAL feed provided by Red Hat cannot be used as a base for vulnerability scanning. With this update, OpenSCAP
supports not only ZIP and BZIP2 files but also uncompressed XML files in a CVE OVAL feed, and the CVE OVAL-based scanning works properly without additional steps. (BZ#1440192)