Chapter 55. Compiler and Tools
Performance of regular expressions cannot be boosted with the JIT technique if executable stack is disabled
When the
SELinux
policy disallows executable stack, the PCRE
library cannot use JIT compilation to speed up regular expressions. As a result, attempting JIT compilation for regular expressions is ignored and their performance is not boosted.
To work around this problem, amend the
SELinux
policy with a rule for enabling the execmem
action on affected SELinux
domains to enable JIT compilation. Some of the rules are already provided and can be enabled by specific SELinux booleans. To list these booleans, see the output of the following command:
getsebool -a | grep execmem
An alternative workaround is changing application code to not request JIT compilation with calls to the
pcre_study()
function. (BZ#1290432)
Memory leaks occur when certain applications fail to exit after unloading the Gluster libraries
Gluster consists of many internal components and different translators that implement functions and features. The
gfapi
access method was added to integrate Gluster tightly with applications. However, not all components and translators are designed to be unloaded in running applications. As a consequence, programs that do not exit after unloading the Gluster libraries are unable to release some of the memory allocations that are performed internally by Gluster.
To reduce the amount of memory leaks, prevent applications from calling the
glfs_init()
and glfs_fini()
functions whenever possible. To release the leaked memory, you must restart long-running applications. (BZ#1409773)
URL to DISA SRGs is incorrect
The SCAP Security Guide (SSG) rules refer to Defense Information Systems Agency Security Requirement Guides (DISA SRGs). Connecting to the URL fails with an
404 - not found
error. As a consequence, users have no direct reference to SRGs. (BZ#1464899)
The ensure_gpgcheck_repo_metadata
rule fails
During remediation of the
ensure_gpgcheck_repo_metadata
rule, certain profiles update the yum.conf
file to enable the repo_gpgcheck
option. Red Hat does not currently provide signed repository metadata. As a consequence, the yum
utility is no longer able to install any package from official repositories. To work around the problem, use a tailoring file to remove ensure_gpgcheck_repo_metadata
from the profile. If remediation already breaks the system, update yum.conf
and set repo_gpgcheck
to 0
. (BZ#1465677)
The SSG pam_faillock module utilization check incorrectly accepts default=die
The SCAP Security Guide (SSG) pam_faillock module utilization check incorrectly accepts the
default=die
option. Consequently, when a user authentication using the pam_unix module fails, the pam stack evaluation stops immediately without incrementing the counter of pam_faillock. To work around this problem, do not use default=die
before the authfail
option. This ensures that the pam_faillock counter is incremented properly. (BZ#1448952)